enterprise cloud governance: a frictionless approach
TRANSCRIPT
ENTERPRISE CLOUD GOVERNANCE:
A FRICTIONLESS APPROACH
• Bart Falzarano • Director of Security and Compliance
• Hassan Khajeh-Hosseini • Product Manager
• Moderator: Kim Weins • VP Marketing
Panelists
2
POLLING QUESTIONS
• The State of Cloud Governance • Traditional vs. Frictionless Cloud Governance • Elements of Cloud Governance
• Inventory • Provisioning • Operations • Financial • Security
• Wrap-Up
Agenda
4 4
5 Photo credit: Kathleen Murtagh https://creativecommons.org/licenses/by/2.0/
Enterprise cloud use explodes
“Change thinking from “why use the cloud?” to “why not use the cloud?”
and institute a “cloud first” consideration for every project on an
application-by-application basis.”
The Cloud Imperative
6 Photo credit: Andy Spearing https://creativecommons.org/licenses/by/2.0/
7 Photo credit: Benjamin Watson https://creativecommons.org/licenses/by/2.0/
..but lack of visibility and control can keep IT up at night
8 Photo credit By Emw (Own work)[GFDL (http://www.gnu.org/copyleft/fdl.html), via Wikimedia Commons
IT needs governance, but not barriers to agility
Speed Enable business units to act faster
Frictionless Cloud Governance
Safety Policy-driven governance & compliance
Freedom Diverse workloads & resource pools
Traditional vs. Frictionless
10
User Requests Provisioning
Submit for Manager Approval
Manager Approval
Submit for IT Review & Approval
IT Review & Approval
CMDB Updated
User Chooses from Catalog
Provisioning Complete
• Complies with standards • Validated against budget • CMDB updated
Approval-Based Governance Frictionless Governance
Provisioning Complete
Wait
Wait
Wait
Wait
Frictionless Governance +
Automation
Faster than Cloud Native…
Frictionless Cloud Governance Controls
12
Secu
rity
Account Aggregation
Identity and Access
SSH Key Management Audit Trails
Cloud Governance Controls!
Inventory Provisioning Operations Financial
Multi-Cloud Cost Tracking
Analytics & Reporting
Forecasting & Budgeting
Spend Optimization
Operational Dashboard
Automated Operations
Monitoring & Alerts
Updates & Patches
Standard Images
Template Catalogs
Cloud Policies
Version Control
Discovery
Tagging
Search
CMDB Integration
Virtualized Environments
Public Clouds
Bare Metal
Private Clouds
Inventory
It’s a Multi-Cloud World
14
You Can’t Control What You Can’t See
15
Many Cloud Accounts
AWS Azure Google CloudStack OpenStack vSphere
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account
Account Account
• Connect to all cloud accounts
• Discover all instances
Organize & Find
• Add and Remove tags on resources
• Powerful and fast search
• Filter showback reports with ease
Organize and Tag Resources
16
Provisioning
Resource Pools
Public Cloud 1
Requirements Filters
Performance
Cost
Compliance
Geo-location
Security
Match Application Requirements to Clouds
Vendors
Existing DC
App 1 App 2
Application Portfolio
App 1
App 2
App 3
App n
…
App 4
App 5
Public Cloud 2
Hosted Private
Internal Private
Virtualized
App 3
App 4 App 5
App 6
App 7
18
• Standardized • Automated • Policy controls
Self-Service Access to Cloud Service Catalog
19
Basic instances
Stacks for Dev or Prod Applications
Self-Service: Orchestrating Applications
20
Load Balancers
App Servers
Master DB Slave DB
Replicate >
DNS
Application Orchestration!
Template-based orchestration
Server Configuration!• Scripts • Chef/Puppet/Salt/Ansible • Docker container • AMI • VM template !
!
Operations
Single pane of glass!
• Complete view of your cloud based workloads
• Public, private and virtualized
• Where workloads are running, how many resources are being used
• Compute, Network and Storage
Operational Dashboard
22
Ensure consistency!
• Automated tasks • Snapshots and backups • Restore resources (e.g. DBs) • Spin up and shut down test
and dev environments • Maintenance tasks
• Automatically applied • When an end user launches
an application stack • When any resources is
launched, automatically tag them
Automated Operations
23
Aggregated Monitoring!
• Operational health of the system
• Load high or low • As release goes live
• Automated self-healing • Auto-scaling • Stranded in booting/
terminating issues –Disaster recovery
• Alerting • Issues that can not be
automated • Issues with applications
Monitoring & Alerts
24
Quick Response!
• Security issues for: • Operating Systems • Stack Components • Your application (e.g. holes
in APIs) • Find affected resources • Develop/test the fix • Patch live workloads • “No patch” strategies
• Patch templates in repository and re-launch
• Move traffic to patched system
Updates & Patches
25
Financial
Aggregated cost tracking!
• Current spend of all cloud providers
• Analyze trends to understand who is using more
• Determine if you are on or off track
Multi-Cloud Cost Tracking
27
Understand spend!
• Analyze usage • Usage changes, cost
changes • Slice and dice • Drill down to details
• Create reports for business units, applications, teams
• By accounts, instance types, regions
• Tags let you do slice and dice on anything
Analytics and Reporting
28
Plan future costs!
• What-if scenario building • New cloud projects • Compare clouds or
instance types • Purchase Reserved
Instances • Grow or shrink usage
• Create Alerts from these scenarios based on actual or forecast
Forecasting & Budgeting
29
Proactive!
• Specify allowed instance types
• Limit to instance types where you have RIs
• Set schedules and end dates for applications
• Buy using different purchase options (some clouds automate this for you)
Proactive Spend Optimization
30
Reactive!
• Identify unused instances and shut them down
• Analyze utilization based on CPU, memory or IO
• Adjust instances to match purchased RIs
• Sell RIs that you are no longer using, or are under-utlized
Reactive Spend Optimization
31
Security
Plethora of Cloud Consoles
A Nightmare w/o Account Aggregation!
• Setup Cloud Accounts and Credentials in every cloud provider?
• Manage each one independently?
• Train personnel on how to use each respective cloud account for each cloud provider?
• Document different procedures for provisioning/de-provisioning cloud accounts?
Cloud Account Management
34
Virtualized Environments
Public Cloud
Bare Metal
Private Cloud
Multi-Cloud Identity and Access Management
35
Agency B User A User D User C
Enterprise Account
Account 2 Account 1
Authenticate with passwords or SSO
Admin
Virtualized Environments
Public Cloud
Bare Metal
Private Cloud
Authenticate with cloud credentials
• Identity and Provisioning • Authentication and
Federation • Authorization and User
Profile Management • Support for Compliance
Centralized Access Controls /RBAC
Integrate with your existing Identity mgmt
• Asymmetric keys private/public • Key Management
• NISTIR 7966 http://tinyurl.com/lhtujnv • Practice Key rotation /enable expiration • Centrally manage vs. Independently manage • Establish Security Policies/Procedures • Detect when new keys are introduced to the
Organization • Key storage options
• Hardware Security Modules • On-premise • Cloud services
• RightScale • Encryption of keys -MUST
Key Management -- SSH
36
Ensure compliance
37
o Know who changed what, where and when
o Integrate with your SIEM / Logging Facility
o Maintain audit logs and reports in-line with your log retention requirements
o Available via API to integrate with other systems
Gain Visibility with Audit Trails
• Definitive Guide to Enterprise Cloud Governance: A Frictionless
Approach • www.rightscale.com/governance
Questions?
38