The cloud surely creates a governance risk, but risk should always be considered in an incremental context.
If users are satisfied with the governance tools and policies they use in the data center, ask these two questions before you extend governance to the cloud:
- Are the current practices used incompatible with cloud deployments?
- Does the cloud pose risks that aren't applicable to the current on-premises environment and, therefore, not managed by existing practices?
To address these questions, look at the issues from the bottom up for extension risks and from the top down for new ones.
The cloud will expose holes in a company's current governance when it extends those practices and tools to the cloud. Since those holes are often missed, it's essential to approach governance extension from both ends -- it gives users two shots to get it right.
Address bottom-up extension risks
Logging is a major tool in cloud governance. Organizations use logs to review different aspects of applications, systems and data usage. Users analyze the information within each log type and across categories to get a bigger picture of security and compliance. Data center logging is widely used and can be standardized easily across all applications, but that's not the case in the cloud.
Application-level logging is often the same in both the data center and the cloud, as long as there's not a special application version for cloud use. Logging for database usage -- as well as system and network activity -- will depend on what the cloud provider exposes and how it's exposed. Thus, if users base their governance at all on log analysis, they must validate those logging practices in the cloud.
Consider cloud application monitoring if you can't invoke logging directly from the underlying components. The major public cloud providers and third-party vendors -- such as AppDynamics, New Relic and Splunk -- offer their own app monitoring services. Monitoring can fill gaps in application logging for enterprises. The correlation of cloud and application logs may contribute to a more complete picture of the environments; blind spots are not good things for compliance.
Address new, top-down risks
Logging can also address some of the cloud governance issues. For example, different international regulations may apply, depending on where cloud resources reside or where an application is used. As a result, it can be difficult to determine whether the workloads have exposed the company to new jurisdictions and rules. Verify that the cloud logs supply the location and identification of hosting and data storage facilities. Users should be aware of regulations in any new jurisdictions their data may move into.
Security is another top-down challenge in the cloud. As a part of their cloud governance model, enterprises rely on data centers since they're physically secure. However, companies no longer have physical control over the devices when data is stored in the cloud. This setup requires additional protection, such as certification from the cloud provider or perhaps a technical process, such as storage encryption. Perform a compliance audit to verify the measures are satisfactory.
Users will need to review the network security measures when they move data off premises. Addresses are the typical means to control access to cloud-based information and applications. Cloud providers differ in how they assign resource addresses and how the addresses change during a failover or scaling. These practices will have to be factored into existing policies for firewalls and access control lists (ACLs). Otherwise, users may accidentally bar legitimate access or permit misuse.
Keep tabs on the inventory across environments
Use an asset inventory application to enforce data usage and access controls in or out of the cloud. Such an application will find exposed application APIs and provide a report, which can then be compared with a reference list of applications that should be exposed. Admins can use this information to manage firewalls, ACLs and other tools. Since these inventory applications will verify network addresses, they can also validate any access control and firewall settings to ensure the addition of cloud environments doesn't accidentally open any doors for misuse.
Governance is about compliance and security, so logging and monitoring are critical. Make sure that unusual application-level logging is enabled and that all events in the logs are accurately timestamped to permit correlation across multiple logs. If containers or functions are used, ensure that the cloud provider logs are sufficient for the current governance requirements and provide billing correlation and compliance jurisdiction proof.
Log aggregation and metrics aggregation are other techniques that can help frame a cloud governance model. Users will want to ensure that their aggregation tool will handle the logs they expect to use, especially any new logging provided by the cloud. The most popular tool is the open source Elasticsearch, Logstash and Kibana stack. When an open source tool is used with Beats data collectors, it can log nearly anything and aggregate everything into a useful and correlated report.
IT professionals need to be involved in public cloud deployments, and admins must be mindful of the people and groups in organizations that are acquiring public cloud services. A citizen developer or a user-driven cloud adoption plan can render governance practices moot if it acts outside the cloud governance model. Once IT's involvement is assured, users can apply these extension tips; without that involvement, it's difficult to maintain any governance at all.