How next-generation managed services can address and automate even the most complex cloud governance, risk, and compliance needs.

Are you in control of your cloud?

To thrive in a cloud-focused world, organisations are turning to an entirely new category of managed services solutions that enable unprecedented control over IT compliance and costs in the cloud. The reason? Many of the traditional management and governance approaches developed for data centres just won’t work in the cloud.

What is driving the demand for better cloud managed services?

Here are the main drivers we see that are behind the demand for the next-generation of cloud managed services solutions.

Time to Value

Enterprises can’t seem to move fast enough into the cloud. Budget issues are reported as the excuse for latency, with too many entities in the mix, slowing down the process. Central IT must do much more with less, and do it more quickly.

Improved Security

Security breaches in both cloud and on-premise environments happen weekly, and take a prominent place in the national news.

Streamlined Decision Making

The lack of a permanent decision making and governing body results in a great deal of latency in the time it takes to make the decisions necessary to adopt cloud at scale.

Simplifying Multi-Cloud

Most enterprises are actively deploying multi-cloud environments that rely on at least two public and/or private cloud providers. This added complexity makes governance and management critical.

Better Cloud Economics

Today enterprises lack end-to-end visibility for financial metrics on cloud environments. Companies are ill equipped to compare current data centre costs with projected cloud savings, and thus unable to analyse historical trends as a comparison and predictor of future savings.

Challenges managing enterprise cloud environments

There are a number of questions that crystallise the challenges of managing enterprise cloud environments after your initial applications are running in production. These include:

  • What is the best operational support model we need once our workloads are running on the cloud?
  • How do I know if my operations team has the skills and training necessary to fully support our new cloud environment?
  • How do we ensure that all key stakeholders are on the same page and involved in our cloud transformation at the right times with the right information?
  • What are the recommended tools and processes for monitoring, governing and optimizing our cloud environment? What will it cost to support our new public cloud environment?
  • How can I ensure we realise the TCO and ROI we projected in the business case?

While the questions above address challenges faced after you are running on the cloud, it is important that you answer them early on in your cloud initiative. At Leaven we help our clients make these decisions in the first stages of our Cloud Adoption Programme.

Real-time Compliance Monitoring and Audit Preparation

Managing ongoing compliance in the cloud is a monumental task and most enterprises today lack a holistic view of their regulatory and corporate compliance posture. Furthermore, today’s compliance processes and tools were designed for data centres, and can’t keep up with the rapid evolution of cloud environments.

Taking cloud to the next level, and quickly

In this article we explore three key concepts that will enable enterprises to take their cloud to the next level. These concepts are part of a new generation of cloud managed services.

  • The Cloud Business Office
  • Continuous Compliance
  • Continuous Cost Control

Let’s examine each concept in detail.

The Cloud Business Office

Cloud adoption will have an enormous impact on your company, evolving processes that have not been seriously touched in decades. For the first time, developers are able to create and modify their infrastructure requirements using software. The implications of such power are both exciting and frightening.

We recommend establishing a central control point for your cloud program as soon as the initiative gets off the ground. We call this the Cloud Business Office (CBO). The CBO serves as the central point of decision-making and communication for your cloud program – both internal and external to your company. You can think of the CBO as a command and control entity within the organisation that facilitates most of the decisions and actions that occur around the use of cloud-based platforms within the enterprise (see Figure 1).

Cloud Business Office
Figure 1: The Cloud Business Office is set up to ensure that there is a central point of decision-making to drive cloud into the enterprise as quickly and efficiently as possible

A core value of the CBO is to provide industry best practices for cloud migration, development, operations, security, and governance, ensuring the success of your cloud transformation. This means we have a set of shared processes that take place to solve common cloud problems. For instance, leveraging an enterprise-wide security framework that lives up to best practices, as well as a standard set of enterprise-wide security mechanisms.

The CBO’s ability to provide a decision-making and governing body for cloud use within the enterprise eliminates the need to go through layers of leadership and organisations each and every time we need to make a decision around the use of cloud-based resources. For example, the ability to select a public cloud provider for a set of workloads in just a week, versus having scads of meetings that may take months to get to the end state decision. The CBO also alleviates the issue of non-qualified personnel making decisions they are ill-equipped to make.

The CBO is often confused with a Centre of Excellence or Program Management Office, which are common within enterprises these days. The CBO provides a resource for best practices and project control, and it has the ability to integrate these concepts into actual execution of cloud-based migrations, and system development. One can compare the concepts of a CBO with those of Agile and DevOps, which focus on doing rather than understanding and planning.

What is Continuous Compliance?

Continuous Compliance provides a single source of truth across GRC (Governance, Risk and Compliance) enabling real time monitoring and remediation. Key benefits include:

  • A single view into regulatory, corporate governance and IT compliance
  • Continuous monitoring, alerts and testing
  • Early warning, prevention and remediation
  • Simplified audit preparation and reduced costs

Continuous Compliance

Continuous Compliance provides a single source of truth across governance, risk and compliance. In other words, it enables real-time monitoring and remediation of issues that may arise when operating workloads and data that run on cloud-based platforms.

For example, say that you operate many workloads on public clouds for a company in a regulated industry such as financial services or healthcare. You need to deal with a range of laws and regulations that govern the use of data. Limits need to be set, not only to enforce company policies, but to deal with legal restrictions as well, such as:

  • What data can be exposed and when?
  • What encryption mechanisms need to be leveraged and how?

The idea of Continuous Compliance is to automate the compliance processes on behalf of those who operate the cloud-based solutions. While the term “compliance” often deals with placing controls on systems that must be enforced by humans, Continuous Compliance means we automate the process of compliance wherever possible, and thus remove much of the drudgery and risk from those processes within enterprises.

Continuous Compliance
Figure 2: Continuous Compliance – Data Aggregation

As you can see in Figure 2, Continuous Compliance provides a single view for regulatory and corporate compliance and security and governance. Data is brought into a single unified view that can trigger alerts and, through automation or human intervention, correct issues in near real time.

Take PII (personally identifiable information) for example, which is illegal to leverage in many ways. Continuous Compliance ensures cloud operations are in compliance with pre-set governance and usage patterns. If, for some reason, the usage patterns fall out of compliance, then alerts are triggered and automatic remediation processes kick in. The objective is to bring the systems back into compliance as quickly as possible.

Other items that Continuous Compliance addresses:

  • Continuous monitoring, alerts and testing. This provides a cohesive look at what is happening in the systems that reside in and out of your cloud environment, enabling you to view “snapshots” of your systems and data whenever necessary. Aggregated data can be reviewed by people, or trigger automated processes that take corrective action when needed.
  • Early warning, prevention and remediation. Using the previous concept of continuous monitoring, alerts, and testing to make the problem known, this concept is the process of warning compliance experts, as well as remediating the problem as soon as possible.
  • Minimise audit preparation and costs. Continuous Compliance enables you to continuously deal with what is needed to move quickly through an internal or external driven audit process. We are not referring to how best to prepare for an upcoming audit. We are referring to a proactive understanding of what occurs during an audit and provide assurance that the information will be up-to-date and waiting for the auditors in a consumable package.

Continuous Cost Control

A key aspect of continuous compliance is Continuous Cost Control. As you can see in Figure 3, this means that we understand the costs around the use of cloud.

Cloud computing has a big advantage in that we only pay for what we use. We have the advantage of only paying for computer resources we leverage, and do not have to purchase hardware and software ahead of need.

However, cost overruns are commonplace when leveraging public clouds and it is important to understand that there is a difference between “good cloud spend” and “bad cloud spend.” Good cloud spends includes things like rapid adoption and use of new cloud services (AWS Lambda, Aurora, etc) that provide better ROI and decrease time to market. Bad cloud spend includes chatty apps and wasteful spending (not parking Dev / Test instances when they’re not in use). Bad cloud spend is most often generated by organisations and teams that do not understand the best consumption patterns and compliance tools required for optimising cloud workloads. When you over-provision cloud resources or your developers simply forget to shut down their no-longer-needed resources, your cloud bill will be many times higher than it should be. Continuous Cost Controls helps you quickly determine which cloud spend is good vs. bad and remediate as necessary

Continuous Cost Control
Figure 3: Continuous Cost Controls – Data Aggregation

Continuous Cost Controls provides a holistic view of enterprise financials as clients migrate to the cloud and live in the cloud. This means that both the CBO, and those charged with the continuous cost management processes, have an understanding of how much is being spent, on what workloads, and by whom in the enterprise. Unlike a traditional data centre, the cloud enables you to gain a significantly more granular level of detail around computing costs.

Some key features of Continuous Cost Controls include:

  • End-to-end visibility of financial metrics, including what budgets have been allocated to which workloads. Moreover, how consumption or burn is occurring on each, based on what is been planned versus actual costs.
  • Cost comparison between current baseline costs. TCO calculations and actual cloud spend leverage best in class cost management tools. The use of automation here is distinctive, including cost monitoring and cost governance tools that provide a view into what is being spent, the aggregation of cost metrics to understand patterns, as well as the ability to look at just an instance in time.
  • Continuous monitoring and alerts determine which costs are off target, and ensure they can be corrected before the issue becomes too expensive.
  • Automated recommendations and cost optimisation. Understand when costs are not aligned with expectations, and how to optimise spend as well. For example, the ability to leverage discounted spot instances versus reserved instances for certain processing.

Managing the Cloud’s Tipping Point

Cloud services, either public or private, are becoming systemic to everything, including enterprise infrastructure and applications, IoT, mobile computing, and more. Enterprises find success in how cloud computing provides the path of least resistance, and it is typically the most cost effective solution. Unless there are major issues uncovered with the cloud, and that does not seem to be the case so far, cloud computing will continue its rapid growth.

That said, we need to understand the need for specific processes that must be in place to ensure cloud computing success. Use of the CBO, Continuous Compliance and Continuous Cost Control solutions do not solve all issues with moving to and managing enterprise cloud initiatives. However, they bring a pragmatic approach to cloud computing that will speed deployment and simplify operations. At the same time, these concepts help you make the best decisions, optimise costs, and remain in compliance to ensure that your cloud-based solutions live on for many years.

This article was originally published in The Doppler, published by Hewlett-Packard Enterprise. Reprinted with permission.