Ensuring control of IT systems is vital to keep things running smoothly; however, IT governance, in general, can be complex.
Of all the elements of modern IT management, IT governance doesn’t always receive the attention it deserves. However, with the advent of the widespread use of cloud and self-service, it is becoming an issue that can no longer hide in the shadows. Ensuring control of IT systems is vital to keep things running smoothly; however, IT governance, in general, can be complex. In particular, cloud governance adds an extra layer of complexity as the whole point of the cloud is to give up a degree of control to developers. To confuse matters further, there are many models for maintaining effective governance over IT environments. They are often complex, difficult to understand, and even harder to implement. To combat this, there are four key principles that need to be observed to achieve success in an area where many fail:
- Governance exists to keep costs down, ensure everything is easy to oversee as well as secure
- The difference between operation management and governance is that the former is ensuring things work properly, whilst the latter is enabling simplified management
- The key to security governance is ensuring that it does not reduce the agility made available to developers
- Cost management is controlling and reducing spending, while governance is making sure that people follow rules that make cost management achievable.
To summarise these principles, there are three core areas that contribute to success; making it easy, making it cheap and making it secure. These three are highly related. For example, overly complex environments (failure to make it easy) are difficult to secure and it can be hard to see where potential cost savings could be made. This insight especially applies to multi-cloud environments, where an enterprise might have two major public clouds, with multiple PaaS services, in addition to a couple of virtualisation platforms, disparate automation, private cloud stacks, etc. Finding the right mix of choice and control is hard. Clearly defining your governance goals makes it a lot easier.
The first step in managing an environment is to reduce complexity. Some of the simple examples of where complexity creeps in are OS options, network configurations, and the authentication mechanisms that are allowed. For OS options it is best to limit the choices to a handful of approved standards across the business and make it difficult to seek exemptions. Then take that option and bake a single standard way of deploying that OS.
When it comes to network configurations, the biggest single thing a business can do for network governance is to have an IP Address Management (IPAM) tool that can be used across cloud environments. This stores information about what networks are in which environments and used for what purpose. This information becomes invaluable for managing environments.
In terms of authentication, it is very difficult to manage multiple clouds and different environments each with its own credentials. Having a governance standard that defines a single identity provider per class of user (i.e., one for employees, one for customers, one for IoT devices, etc.) makes management much simpler.
Defining standards is a great first step in the journey toward better governance. The next step in this journey is ensuring compliance. This can be achieved through the use of cloud-native tools like Amazon Web Services (AWS) Config or a third-party SIEM.
Controlling costs
The next high-level governance goal is to make things cheap. The key is that basic guidelines are essential from day one. One example includes limiting the types (sizes) of instances (AKA servers) that can be created by end users. Both AWS and Azure have a lot of options, but due to the way that cost controls work in both clouds, limiting users to a handful (four or five) options makes cost management drastically more effective while accommodating the vast majority of use cases. One more thing that is very important is tagging all resources to make cost allocation easier.
Another area where costs can be cut is by defining and enforcing what a dev environment actually is. Are high availability databases needed for development? Probably not, same with high-performance clusters that are better suited to pre-production/quality assurance, where load testing occurs. Maybe everyone insists they need Oracle enterprise edition, but they probably don’t, and could get by just fine with AWS Aurora, which would save money.
This concept of limiting choices to a subset of the plethora of options made available follows the trend of keeping it simple we identified earlier on. The ideal situation is reducing choice intelligently, without stifling innovation. In addition, creating a standard for how to express the business value of a project is also vital. A model should be put in place that includes opportunity cost as if another platform is used this may cost more development time. The value of specific features of common platforms to specific projects and how they influence the business value of the project should also be included. It can be time-consuming, but it enables informed decisions about what to allow, where and when to allow it, and why – based on what’s best for the business.
Keeping things secure
The third high-level governance goal is about making it secure. Governance should always prioritise simplicity, visibility, and compliance. These principles are especially important to securing multiple environments. A two-pronged approach is often required. Intelligently limit options at the front end so that obeying the rules in the field is the easy option, while simultaneously ensuring visibility into who is doing what so you can ensure people are making compliant decisions. For instance, limiting OS standards makes it easier to patch, harden, and monitor activity on those operating systems.
By making the environment simpler and easier to understand for an engineer or architect, the entire security discussion becomes far easier to have. Organisations and IT teams need to be thinking of governance as the act of defining and enforcing policies and standards that make management and security – and therefore their jobs – easier.
By focussing on the front end and creating the right balance between choice and simplicity, the business can foster innovation without crippling costs, building overly complex management processes, or increasing vulnerability to cyber risk. Just remember, perfect is the enemy of the good, there will always be exceptions to rules, and this is just as true of governance strategy. As this article has hopefully made clear, the key to successful IT governance is balance in all areas (Thanos would be proud).
CREDITS: Eric Moore, Chief Technologist for the AWS Integrated Practice, DXC Technology