Use “on-the-side” cloud governance to balance the agility and autonomy needs of cloud IaaS users with the organization’s need to protect itself
by Richard Watson | January 29, 2019 | Comments Off on Use “on-the-side” cloud governance to balance the agility and autonomy needs of cloud IaaS users with the organization’s need to protect itself
Are you concerned about shadow cloud use? Organizations that lack comprehensive programmatic IaaS governance risk security breaches, loss of control and overspending on cloud resources.
In shadow IT cloud usage, users go directly to the self-service interfaces of cloud providers to provision resources. They do this because they appreciate the “native experience” of the cloud provider, which enables them to innovate. Self-service access to cloud providers is not a negative mode of operation; indeed it is Gartner’s recommended mode, but ungoverned self-service access often puts the organization at risk.
Central IT can decide to position itself “in-the-way” between end users and cloud providers (see the central path in the figure). In this case, they would control all that users can do and provide for provisioning, automation and management of workloads. Alternatively, Gartner’s recommended approach to cloud IaaS governance is “on-the-side,” allowing end users to self-serve cloud directly (as shown in the lower path of the figure). In this case, central IT would focus on enablement and auditing. Defining who has access to what, what they can do, under which conditions and reporting on that access is the initial step of establishing cloud governance. Implementing automated governance transforms central IT’s role from fulfilling users’ requests, to empowering self-service for teams that need the agility to use cloud services with native tools. Programmatic guardrails that enforce policies ensure control and compliance with best practices.
This guidance document explains how to implement governance “on the side” by answering the question:
How do I develop a governance framework that properly balances the agility and autonomy needs of cloud consumers with the organization’s need to protect itself?
Another important tenet of Gartner’s approach is to separate governance policies from enforcement style and implementation. Some policies are automated to prevent users from creating resources or performing some action on an existing resource (e.g., you must have the role “network admin” to create a new virtual network). These are “preventative controls.” Other policy violations will show up only after the fact, in a policy audit, and an action is performed to remediate that violation. These are known as “retrospective controls” in this guidance. Some policies need both styles (e.g., “All resources must be tagged with the following tags [‘department, cost-center, lifecycle-stage’. …]”).
Gartner’s framework to systematically implement public cloud IaaS consumption governance consists of the following five steps:
- Step 1: Define Policies
- Step 2: Implement Preventative Controls
- Step 3: Gain Total Visibility
- Step 4: Create an Audit Process to Implement Retrospective Controls
- Step 5: Integrate Provider-Native and Third-Party Tools
The heart of this guidance document is a set of example governance policies, which we harvested from common ones in Gartner clients, third-party cloud management vendor tools and cloud-provider-native controls. Clients can download the policy examples as a spreadsheet, which acts as a starting point for a tailored policy library. Here’s a snapshot of a portion of that spreadsheet.
New Gartner Research
Gartner for Technical Professionals clients can view the 43 page research report just published by myself and Marco Meinardi and its downloadable attachments here: Implementing Governance for Public Cloud IaaS
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.