ENTERPRISE CLOUD GOVERNANCE:

A FRICTIONLESS APPROACH

•  Bart Falzarano •  Director of Security and Compliance

•  Hassan Khajeh-Hosseini •  Product Manager

•  Moderator: Kim Weins •  VP Marketing

Panelists

2

POLLING QUESTIONS

•  The State of Cloud Governance •  Traditional vs. Frictionless Cloud Governance •  Elements of Cloud Governance

•  Inventory •  Provisioning •  Operations •  Financial •  Security

•  Wrap-Up

Agenda

4 4

5 Photo credit: Kathleen Murtagh https://creativecommons.org/licenses/by/2.0/

Enterprise cloud use explodes

“Change thinking from “why use the cloud?” to “why not use the cloud?”

and institute a “cloud first” consideration for every project on an

application-by-application basis.”

The Cloud Imperative

6 Photo credit: Andy Spearing https://creativecommons.org/licenses/by/2.0/

7 Photo credit: Benjamin Watson https://creativecommons.org/licenses/by/2.0/

..but lack of visibility and control can keep IT up at night

8 Photo credit By Emw (Own work)[GFDL (http://www.gnu.org/copyleft/fdl.html), via Wikimedia Commons

IT needs governance, but not barriers to agility

Speed Enable business units to act faster

Frictionless Cloud Governance

Safety Policy-driven governance & compliance

Freedom Diverse workloads & resource pools

Traditional vs. Frictionless

10

User Requests Provisioning

Submit for Manager Approval

Manager Approval

Submit for IT Review & Approval

IT Review & Approval

CMDB Updated

User Chooses from Catalog

Provisioning Complete

•  Complies with standards •  Validated against budget •  CMDB updated

Approval-Based Governance Frictionless Governance

Provisioning Complete

Wait

Wait

Wait

Wait

Frictionless Governance +

Automation

Faster than Cloud Native…

Frictionless Cloud Governance Controls

12

Secu

rity

Account Aggregation

Identity and Access

SSH Key Management Audit Trails

Cloud Governance Controls!

Inventory Provisioning Operations Financial

Multi-Cloud Cost Tracking

Analytics & Reporting

Forecasting & Budgeting

Spend Optimization

Operational Dashboard

Automated Operations

Monitoring & Alerts

Updates & Patches

Standard Images

Template Catalogs

Cloud Policies

Version Control

Discovery

Tagging

Search

CMDB Integration

Virtualized Environments

Public Clouds

Bare Metal

Private Clouds

Inventory

It’s a Multi-Cloud World

14

You Can’t Control What You Can’t See

15

Many Cloud Accounts

AWS Azure Google CloudStack OpenStack vSphere

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account

Account Account

•  Connect to all cloud accounts

•  Discover all instances

Organize & Find

•  Add and Remove tags on resources

•  Powerful and fast search

•  Filter showback reports with ease

Organize and Tag Resources

16

Provisioning

Resource Pools

Public Cloud 1

Requirements Filters

Performance

Cost

Compliance

Geo-location

Security

Match Application Requirements to Clouds

Vendors

Existing DC

App 1 App 2

Application Portfolio

App 1

App 2

App 3

App n

…

App 4

App 5

Public Cloud 2

Hosted Private

Internal Private

Virtualized

App 3

App 4 App 5

App 6

App 7

18

•  Standardized •  Automated •  Policy controls

Self-Service Access to Cloud Service Catalog

19

Basic instances

Stacks for Dev or Prod Applications

Self-Service: Orchestrating Applications

20

Load Balancers

App Servers

Master DB Slave DB

Replicate >

DNS

Application Orchestration!

Template-based orchestration

Server Configuration!•  Scripts •  Chef/Puppet/Salt/Ansible •  Docker container •  AMI •  VM template !

!

Operations

Single pane of glass!

•  Complete view of your cloud based workloads

•  Public, private and virtualized

•  Where workloads are running, how many resources are being used

•  Compute, Network and Storage

Operational Dashboard

22

Ensure consistency!

•  Automated tasks •  Snapshots and backups •  Restore resources (e.g. DBs) •  Spin up and shut down test

and dev environments •  Maintenance tasks

•  Automatically applied •  When an end user launches

an application stack •  When any resources is

launched, automatically tag them

Automated Operations

23

Aggregated Monitoring!

•  Operational health of the system

•  Load high or low •  As release goes live

•  Automated self-healing •  Auto-scaling •  Stranded in booting/

terminating issues –Disaster recovery

•  Alerting •  Issues that can not be

automated •  Issues with applications

Monitoring & Alerts

24

Quick Response!

•  Security issues for: •  Operating Systems •  Stack Components •  Your application (e.g. holes

in APIs) •  Find affected resources •  Develop/test the fix •  Patch live workloads •  “No patch” strategies

•  Patch templates in repository and re-launch

•  Move traffic to patched system

Updates & Patches

25

Financial

Aggregated cost tracking!

•  Current spend of all cloud providers

•  Analyze trends to understand who is using more

•  Determine if you are on or off track

Multi-Cloud Cost Tracking

27

Understand spend!

•  Analyze usage •  Usage changes, cost

changes •  Slice and dice •  Drill down to details

•  Create reports for business units, applications, teams

•  By accounts, instance types, regions

•  Tags let you do slice and dice on anything

Analytics and Reporting

28

Plan future costs!

•  What-if scenario building •  New cloud projects •  Compare clouds or

instance types •  Purchase Reserved

Instances •  Grow or shrink usage

•  Create Alerts from these scenarios based on actual or forecast

Forecasting & Budgeting

29

Proactive!

•  Specify allowed instance types

•  Limit to instance types where you have RIs

•  Set schedules and end dates for applications

•  Buy using different purchase options (some clouds automate this for you)

Proactive Spend Optimization

30

Reactive!

•  Identify unused instances and shut them down

•  Analyze utilization based on CPU, memory or IO

•  Adjust instances to match purchased RIs

•  Sell RIs that you are no longer using, or are under-utlized

Reactive Spend Optimization

31

Security

Plethora of Cloud Consoles

A Nightmare w/o Account Aggregation!

•  Setup Cloud Accounts and Credentials in every cloud provider?

•  Manage each one independently?

•  Train personnel on how to use each respective cloud account for each cloud provider?

•  Document different procedures for provisioning/de-provisioning cloud accounts?

Cloud Account Management

34

Virtualized Environments

Public Cloud

Bare Metal

Private Cloud

Multi-Cloud Identity and Access Management

35

Agency B User A User D User C

Enterprise Account

Account 2 Account 1

Authenticate with passwords or SSO

Admin

Virtualized Environments

Public Cloud

Bare Metal

Private Cloud

Authenticate with cloud credentials

•  Identity and Provisioning •  Authentication and

Federation •  Authorization and User

Profile Management •  Support for Compliance

Centralized Access Controls /RBAC

Integrate with your existing Identity mgmt

•  Asymmetric keys private/public •  Key Management

•  NISTIR 7966 http://tinyurl.com/lhtujnv •  Practice Key rotation /enable expiration •  Centrally manage vs. Independently manage •  Establish Security Policies/Procedures •  Detect when new keys are introduced to the

Organization •  Key storage options

•  Hardware Security Modules •  On-premise •  Cloud services

•  RightScale •  Encryption of keys -MUST

Key Management -- SSH

36

Ensure compliance

37

o  Know who changed what, where and when

o  Integrate with your SIEM / Logging Facility

o  Maintain audit logs and reports in-line with your log retention requirements

o  Available via API to integrate with other systems

Gain Visibility with Audit Trails

•  Definitive Guide to Enterprise Cloud Governance: A Frictionless

Approach •  www.rightscale.com/governance

Questions?

38