/ Insights / 5 Disciplines of Cloud Governance Insights 5 Disciplines of Cloud Governance August 31, 2020 Nathan LasnoskiThe best organizations are ones that balance growth mindset in the cloud with effective cloud governance. The growth mindset is the company challenging itself, its previous assumptions, it’s understanding of what the future looks like. The partner is governance that accelerates the transformation while ensuring protection and responsibility. The goal of cloud governance is not to slow down adoption, nor is it to impose traditional IT controls. The goal of cloud governance is to implement important guard rails on the implementation that enables teams to measure once and cut once… because they are using the right tools.To talk about the five disciplines of cloud governance I’ll turn to the Microsoft Cloud Adoption Framework (CAF) which does a nice job of laying out the things we need to be interested in. They are:Cost ManagementSecurity BaselineResource ConsistencyIdentity BaselineDeployment AccelerationThe implementation pattern is that of a Minimum Viable Product (MVP) and evolving from there. The goal is to effectively drive the starting point for these ideas, then iterate on them as they are implemented. See below in the CAF the implementation cadence of a Governance MVP.Cost ManagementThe discipline of cost management is perhaps the most critical success factor because a key responsibility of business is to be effective stewards of the resources available to them. This is where controls like tagging, subscriptions, resource groups, owners, application names, etc. are super important. These types of labels and controls define the starting point of any effective cost management strategy. The end goal… is that dollars spent on the cloud directly align to business value attained.Worse (1) to Better (6):No cost managementNo cost management, initial cloudBasic cost managementCloud cost management w/ chargebackCost allocation to Business Unit (BU)Cost allocation to Business Unit (BU) and AppSee the diagram below:Security BaselineThe next discipline is having a security baseline across your cloud environment. The security baseline should not only assess, it should implement controls based on the security policy defined for the organization. This forms the framework for application teams to rapidly adopt and build on the cloud, while not having to reinvent the wheel and continue to have the same security holes time and time again.Worse (1) to Better (6):No cloud, no baselineCloud, no baselineCloud, documented policyCloud, implemented policyCloud idempotent policyCloud idempotent policy + review cycleResource ConsistencyThis can quickly get out of control. By consistent, I don’t mean consistently chaotic… I mean consistently controlled, uniform, and clean. We do this by implementing effective standards for deployment, leveraging techniques like Azure Policy, infrastructure-as-code, and release management. The goal of resource consistency is to make our environment understandable, supportable, and manageable after we’re gone.Worse (1) to Better (6)No cloud environmentNo labeling, no consistent deployment approachRequires tags, not consistent in namesConsistent naming frameworkNaming framework aligns to service registryConsistent naming, deployment, and policyIdentity BaselineIf “identity is the new control plane”, then we need to take extra care to ensure it is implemented well, not just half-way. Identity needs a solid process for provisioning, de-provisioning, and protection that is uncommon in most on-premise environments. Driving maturity and improvement here is key to a well managed environment.Worse (1) to Better (6)No identity protection, no process for onboardingMulti-factor auth for risk based sign-inMulti-factor auth for conditional access (risk + health)MFA / conditional access + onboarding processMFA / conditional access + modern desktop + onboardingMFA / conditional access + modern desktop + onboarding + Azure AD primaryDeployment AccelerationThe goal of deployment acceleration is to slip-stream new workloads into the cloud by making it easier to work within the environment. This doesn’t necessarily mean that deploying workloads is easier the first time, but it does mean that we accelerate deployments on an ongoing basis and optimize deployment and operational consistency by raising the maturity of this process.Worse (1) to Better (6)Deployment through a Cloud Management PortalDeployment through the native portalDeployment of infrastructure-as-code as a best practiceDeployment of infrastructure-as-code required for productionDeployment of infrastructure and app-as-codeDeployment of code and test-driven release managementHere it is as a graph:Bring all of these maturity curves together and you start to build an environment that truly accelerates your movement toward an operationalized cloud. Sometimes customers will ask “does it really need to be this complicated?” The more work you do to build an operational app model up front, the less time you spend exponentially after the environment is in place. See you on the flip side!Nathan Lasnoski