Developing a best-practices cloud governance model is a foundational and critical activity to facilitate the systemic, supportable, and sustainable execution of a successful cloud transformation strategy. This best-practices model includes a standards policies, automation that consistently applies and enforces policies and controls, self-service capabilities that that enable development agility and speed, and automated monitoring and cost management that ensure operational integrity. A well-developed cloud governance model enables customers to effectively develop, leverage, and optimize the AWS cloud operating model to improve operational integrity, reliability, performance, and transparency. This session highlights the necessary and recommended elements of a best-practice governance model including policy considerations and recommendations, self-service automation methods towards IT-as-a-Service, and use-case examples.
2. Goals for the session
• Definition and overview of cloud governance
• Cloud center of excellence (CCoE)
• Stages of cloud governance
• Cloud governance best practices
• GSA — Review of business services platform (BSP)
• TSA — Discussion of governance
• Question and answer
3. Definition of cloud governance
The decision-making criteria, processes, and policies involved in the
planning, architecture, acquisition, deployment, operation and
management used for operating IT services in the cloud.
— Cloud governance allows IT to innovate,
automate, and quickly deploy code and
infrastructure while maintaining the
necessary requirements for security, audit,
control, and compliance.
5. Why governance?
1. Reduction in access and security risks
2. Development of cloud standards — delivery, tools, process
3. Management of application design: CI and CD design
4. Cost optimization
5. Increased innovation for business units
6. Elimination of rogue IT and disparate cloud initiatives
7. Management of the consumption of cloud resources
6. Cloud governance opportunities
• Speed — Enable business at cloud speed and cost
• Integration — Complementary to existing enterprise
IT governance processes, policies, and tools
• Balance — Appropriate coverage for key decisions, investments,
and risks while achieving the benefits of the cloud
• Proactivity — Anticipate and prevent shadow clouds and
unauthorized cloud activities that expose organizational risks
• Enablement — Appropriate cloud decision making without friction
8. Cloud center of excellence (CCoE)
The cloud center of excellence is a
team of executives and IT area
experts that authors cloud governance
to enables business units to access a
self-service model and provides a
catalog of standardized and templated
instances from which to select and
autoprovision
11. Levels of cloud
governance
L0 – Decentralized
control
L1 – Centralized
control
L2 – Decentralized
control with
automation
L3 – Centralized
control with self-
service
12. Three phases of cloud governance
Beginning
• Minimal
integration
• Reactive
environment
• Cost overruns
• Manual
deployments
• No cloud
structure
Adopting
• CCoE is in place
and policies are
maturing
• Policies
matched to
process
• Designing for
cost
• Rapid
deployment
Mature
• Full automation
and self-service
• Benefits of cloud
services realized
• Agility and control
• Optimized for
cost
• Secure and
compliant
environment
13. Phase 1: Beginning
1. Create the CCoE to develop and own governance and its policies
2. Develop governance model and establish policies for:
• Security
• Account management
• Cost
• Network
• Instance and storage
• Service management
• Monitoring and reporting
3. Begin to modify the deployment process and policies and look to automate
• Develop governing policies to enable automated approval cycles
• Develop financial policies to enable BUs to quickly stage POCs
14. Phase 2: Adopting
1. Develop self-service policies
2. Develop data governance policies
3. Develop continuous integration / deployment policy
4. Develop design-for-cost architecture guidelines
5. Develop cloud audit and compliance policies
6. Develop a common API design framework
15. Phase 3: Mature
1. Develop advanced automation techniques and policies to promote
further cost reduction, agility, and resiliency:
• Automated testing and code promotion from each tier to production
• Automated DR and recovery testing — Chaos Monkey / Chaos Gorilla
• Automated instance power down / power up for non-Reserved
Instances
• Utilization of Spot Instances — when and where to use
2. Develop transition policies to define services and SOA
3. Develop policies allowing existing applications to test-for-cost
(scale up / scale out)
16. Cloud governance best practices
• Establish a CCoE and begin developing/updating policies
• Tailor your governance process to your organization’s particular risk
tolerance
• Decide where to leverage existing processes versus establishing
new ones
• Make the process as lightweight as possible and as informative as
possible to create a positive user experience
• Start early in the transformation so you can get business and IT
feedback and support
• Rely on use-case reviews to improve your processes
18. The GSA cloud
transformation
”Worked fine in dev…” “...OPS has problems”
Then (data center)
• Days/months to provision
• Months to app ATO
• One off configs for every app
• Size to peak demand
• Long, painful outages
• Everything needs software
19. What is BSP and how does it transform IT
Now (BSP)
• Minutes to provision
• Weeks to app ATO
• Standard app stacks/services
• Automated scalability
• Immediate server redeployment
• Automated — Infrastructure as code,
continuous delivery
• Secure — Multitenant, security driven
architecture
• Cost effective — Pay for what you use
• Metrics — Visibility into usage and cost
• Modernization platform — Get to the cloud
20. BSP is a modernization platformSecuritycontrolinheritance
Degree of automation and cloud optimization
Mode 2
OS
optimization
Mode 3
Fully
automated
stack services
devops
Orchestration
Infrastructure
as code
• Choose the mode
that best suits
your application
and level of cloud
optimization
• Mode 3 apps
inherit >85% of all
ATO security
controls
Mode 1
Compute,
network,
storage
MIGRATED APPS
APP
DATA
OPTIMIZED APPS AUTOMATED APPS
APP
21. 1. Choose app stack
Template file
• Component
Configs
• Cluster Sizes
• Auto Scaling
• Etc.
3. Stage content
4. Run preconfigured
orchestration job
5. Application fully
deployed
6. Invoke Ansible callback
7. Run Ansible config roles, including app deployment
5. Deploy
infrastructure
AWS IAM
1. Jenkins initiates deployment through Ansible Tower
2. Generate custom
AWS Identity and
Access Management
(IAM) policy and
Amazon CloudFormation
template
2. Customize stack
Developer experience
Orchestration workflow
. Create the CCoE to develop and own Governance and its policies
2. Develop Governance model and establish policies for:
Security – VPC design, Access Management, OS Stack (Anti Virus)
Account Management – VPC creation control, instance launch control
Cost – Tagging policy and naming convention
Network – Encryption and allowable AWS Public / Private Access points
Instance and Storage – Naming convention
Service Management – Single integrated portal for ticketing / ITSM
Monitoring and Reporting – Health, Availability, Logging and Audit
3. Begin to modify the deployment process and policies and look to automate
Develop governing policies to enable automated approval cycles
Develop financial policies to enable BU’s to quickly stage POC’s
Develop Self Service Policies
2. Develop Data Governance Policies
Develop RTO / RPO Policy for each Data Class
Develop Data Retention Policy with automated file maintenance
Develop Data Classification Policies – Restricted, confidential, etc.
Develop Data Encryption and Access Policies
3. Develop Continuous Integration / Deployment Policy
Develop policy to define frequency, approved methods, tools
Standardize toolsets / repository locations for each BU
4. Develop Design-for-Cost Architecture Guidelines
5. Develop Cloud Audit and Compliance Policies – Financial and Risk
6. Develop a common API Design Framework for REST and JSON
API Framework should apply to on-premise and cloud
Centralize API repository to simplify management and deployment
Choose from Catalog of Hardened App Stacks as a Service (e.g. MySQL, JBoss, Apache)
Customize Stack Parameters via User-Defined Template
Stage App content in Artifactory Repo
Full App Stack and Content Automatically Deployed and Configured