Author: Sajid Khan Niazi | Credera
Author: Sajid Khan Niazi | Credera
Everything is moving to the cloud these days, but it’s not always simple or easy, especially for enterprises. We’ll explore the key challenges associated with enterprise cloud services and provide tips on how to mitigate them.
Enterprise cloud is a computing model where an enterprise can use virtualized IT resources from a public or private cloud services provider. These resources can include storage, virtual servers, networking, security components, and serverless computing.
In larger enterprises, there are normally cloud center of excellence teams who can provide the cloud service offering and help onboard different business units to the cloud. They provide different teams with access to the cloud resources, and ensure provisioned workloads meet compliance and security standards.
CLOUD SERVICE OUTCOMES
Below are some of the key outcomes that an enterprise would typically like to achieve from its cloud service across different business units.
At the start of an organization’s cloud adoption journey, there are usually a few teams that will start using it. Managing the cloud at this time is simple as there are only a few accounts and workloads deployed. However, as cloud usage grows across an enterprise, many key challenges can begin to emerge if they are not tackled as part of the initial landing zone designs.
Single or few accounts used by different business units.
While a single account works in the beginning, it is not sustainable as the cloud usage grows across business units and teams.
Complexity in managing common security guardrails as they are applied at the individual account level.
Initially, it is OK to apply common guardrails at the account level, but to ease and simplify management, it is better to apply them at higher levels such as organization units in Amazon Web Services (AWS), management groups in Azure, or folders in Google Cloud Platform (GCP).
Workloads deployed in management accounts.
This can be a security risk as privileged operations are normally allowed in the management accounts.
Production and non-production environments sharing the same account.
Production and non-production workloads have different security profiles and needs, hence putting them in the same account could be a security risk.
Several dozen workloads deployed into a single account.
This makes management, security, and access control more complex.
Complexity in managing individual users without federated access.
Lack of a single sign-on (SSO) solution means individual users accounts must be created and maintained by the cloud team, which is cumbersome, error prone, and non-sustainable in the long term for larger enterprises.
Manual deployments to production workloads.
While this is initially OK for trying out cloud resources and for quick proof of concepts, an organization needs proper continuous integration/continuous deployment (CI/CD) processes and tools in place to scale the cloud adoption.
Lack of central security hub.
Managing security incidents and having oversight across dozens or hundreds of accounts can be challenging. It requires a central security hub where security incidents from all accounts can be centrally managed and acted on.
No availability for security hardened common virtual machine (VM) templates (aka machine images).
With increasing variability, organizations lack standardization and miss out on security best practices.
Lack of traceability for production incidents.
Workloads are deployed but there is no properly defined observability (logging, metrics, and alerts). Without these, it is very difficult to resolve production incidents.
Weak security controls and no threat modeling for deployed workloads.
Deployed workloads have poor security posture and lack defense in depth controls applied at different levels. These can lead to security incidents and data leaks that could be quite costly and cause significant reputational damage in the long run.
No oversight for cloud costs and difficult to attribute costs to different entities, and workloads.
Cloud costs can easily spiral out of control without proper oversight, and it is difficult to track and reduce costs without proper attribution.
Trying to use cloud as a traditional data center.
Cloud offers agility, and a lot of infrastructure, platform, and software as a service solutions that can be leveraged together in innovative ways to design efficient, cost effective, secure, and scalable solutions. However, using cloud as a traditional data center results in rigid controls, inefficient use of resources, lack of agility and efficiency, and stifles innovation.
All big three public clouds provide capabilities to their customers to help manage, structure, and govern large-scale enterprise environments as their cloud usage grows. Using these management capabilities, an enterprise can structure its cloud resources appropriately to manage complexity and allow cloud usage to scale rapidly across the enterprise.
Some of the benefits of using these governance controls include the ability to quickly scale your workloads by programmatically creating resource containers such as organizational units/accounts in AWS, folders/projects in GCP, and management groups/subscriptions/resource groups in Azure.
By applying governance policies at higher abstraction levels (organization units in AWS, folders in GCP, and management groups in Azure), you can give freedom to teams to build their workload resources while staying within the boundaries set by policies at a higher level. For example, you can set policies to control which cloud regions could be used to provision a company’s cloud resource and place restrictions to avoid someone accidentally switching off audit logs or security components.
You can centrally enforce your recommended backup, configuration, and security requirements by enforcing them at the higher level in the resource hierarchy (as mentioned above). This allows you to centrally secure and audit your environments.
Permissions management and access control can be simplified by applying policies at the right level in the resource hierarchy.
We’re going to walk through how each of the big three cloud providers structure their hierarchy.
AWS uses concepts of organization units and accounts to structure and manage an organization’s teams, projects, and cloud resources:
Organization: Root of the hierarchy is organization or company.
Organization Units (OU): OU in AWS can be used to create a hierarchy of business divisions, teams, and different product lines. Different policies can be applied at these levels.
Accounts: Accounts are the containers for all cloud resources (e.g., a product 1 [OU] can contain three accounts, and each account can contain environment-specific resources).
Azure uses concepts of management groups, subscriptions, and resource groups to structure and manage an organization’s teams, projects, and cloud resources:
Organization: Root of the hierarchy is organization or company.
Management groups: These could be used to create a hierarchy of business divisions, teams, and different product lines. Different policies can be applied at these levels.
Resource groups: These are the containers for all cloud resources (e.g., a product 1 [management group] can contain three subscriptions, and each subscription can contain environment specific resources).
GCP uses concepts of organization, folders, and projects to structure and manage an organization’s teams, projects, and cloud resources:
Organization: Root of the hierarchy is organization or company.
Folders: Folders in GCP can be used to create a hierarchy of business divisions, teams, and different product lines. Different policies can be applied at these levels.
Projects: Projects are the containers for all cloud resources (e.g., a product 1 [folder] can contain three projects, and each project can contain environment specific resources).
Along with the governance options available in the public clouds noted above, our Credera teams have successfully used the below design principles to tackle the challenges that arise from the enterprise cloud service offering when using cloud at scale within large enterprises.
ENTERPRISE CLOUD SERVICE OFFERING
SECURITY
COST OPTIMIZATION
OBSERVABILITY
PERFORMANCE EFFICIENCY & INNOVATION WITH CLOUD-NATIVE SOLUTIONS
By improving the enterprise cloud service offering governance and structure and adopting the above design principles, an enterprise can truly reap the benefits of the cloud while avoiding some of the challenges highlighted in this article.
If you would like us to provide design critique for your enterprise cloud service offering or need help with optimizing and improving it to meet business needs, please get in touch.
