In our digital-infused world, finding an enterprise without some sort of cloud presence is mission impossible. Whether it’s Azure, Amazon Web Services (AWS) or Google Cloud Platform (GCP), these highly reliable, scalable, secure, and cost-effective cloud platforms have become indispensable tools of the modern enterprise. They offer a lot of advantages – but if not well governed, you can find yourself introducing operational risk.
Risk is everywhere, of course. Let’s take this in a direction other than cloud for a moment (stay with me, there is a connection). I recently went swimming with whale sharks. Swimming out in the ocean with an animal the size of a bus – what could go wrong? Yet I felt completely safe as our supervisors were experienced risk managers. It was clear they’d put a lot of thought into both how to guarantee a successful outing for us, and how to minimise any risks involved. They had numerous processes in place both for themselves and us to follow, and they kept a watchful eye. I felt confident because I could tell they’d done their due diligence. They’d considered all potential risks and kept us all safe while we enjoyed this once-in-a-lifetime experience. In short, they provided good governance over their services.
To come back to cloud – like swimming with whale sharks, managing cloud services can be complex. There’s a lot to consider. If you’re not careful, you can quickly find yourself in dangerous waters with risks ranging from security breaches and compliance violations to soaring costs and inefficient operations.
This is where cloud governance comes in. Policies, procedures, guidelines, and associated technologies help us better balance digital transformation and mitigation of risks.
A robust cloud governance system provides a framework for considering objectives, understanding what needs to be done regarding processes and supporting technology, and how to achieve this in a real-world setting.
If you’ve been utilising something like the Microsoft Cloud Adoption Framework, the following diagram may look familiar. It’s a good framework to look at cloud governance through, starting with understanding business risks and objectives, and working to define our policies and processes.
A great thing in the Azure space is that Microsoft has given us a lot in terms of policy, controls, and services. It helps turn these policies into reality, and to be able to manage and report against them. That’s great if you are just in Azure.
However, 72% of organisations remain in a hybrid state and 87% have a multi-cloud strategy, creating challenges for many organisations. Commonly, different toolsets and processes are utilised across different environments. It’s also common to see an organisation with a team that looks after on-premises, another looking after Azure, possibly another on AWS, and another on GCP. This results in duplication of tooling across networking, identity, governance, security, and operations.
Then you need people with a multitude of different skill sets, such as running different tools and leading multiple teams. This results in a higher cost of ownership and a complex environment – all leading to higher security and compliance risks.
But what if there’s a way to unify operations and management in hybrid environments?
There is. And this is what I like about Microsoft’s cloud strategy. It’s taken the services they’ve built and matured in the cloud and paired them with a strategy to utilise them for governance and management of infrastructure – regardless of where it lives.
Their hybrid multi-cloud adoption framework illustrates how unified governance and management can be achieved .
The framework includes:
• Primary cloud controls, including centralised visibility to all our resources
• Ability to utilise templates and automation for consistent deployments
• Controlled identity, access, and security boundaries
• Enhanced visibility through in-depth monitoring, inventory, security compliance controls, and reporting
• Automation supporting standardised deployment, configuration, update, protection, and recovery of resources
A lot is happening in this diagram, but don’t let its detailed architecture fool you into thinking it makes management more complex.
In the centre is the Azure Arc integration layer. It’s the technology acting as a bridge between cloud services and your resources. Let’s dive into this further.
Let’s say on-premises, you have a data centre running on VMware vSphere, or possibly a converged solution with Azure Stack HCI. By utilising Azure Arc you can manage your virtualised servers (Windows, Linux and SQL). You might also use Kubernetes to support containerised apps. When brought into a central platform – via Azure Arc – they are all represented as resources in Azure. You can then manage these resources using Azure management services; overlaying policy, role-based access controls, and attributes give you better visibility of what everything is and where it belongs, alongside monitoring, security, and automation.
Similarly, if you have virtual servers or Kubernetes running on another public cloud such as AWS or GCP, Azure Arc brings those resources into Azure. This allows you to centrally manage them.
But what I find really cool is that you can take Azure PaaS services and run those containerised apps in Kubernetes, on premise, or even inside another vendor’s cloud. For example – Web Apps, Functions, Logic Apps, Event Grid, and SQL Managed Instances.
Take for example a utility company who needs to manage infrastructure at different points throughout the state. They utilise cloud heavily but need local application services close to infrastructure they manage, to ensure that even if there were interruptions to the network, or network latency in regional locations, there wouldn’t be any disruptions. Using Azure Arc, they can centrally manage both their cloud resources and on premises application services.
You can’t control what you can’t see. Azure Arc provides a single control pane to deploy, manage, update, monitor, and secure resources, regardless of where they live. All resources are visible, and you know exactly what’s happening with them. Inventory is centralised and organised by management groups, subscriptions, or resource groups. Standardised and custom tags can also be applied to keep track of resources.
Moving on to control, with Azure Arc, you can use templates to deploy resources to multiple environments – whether in Azure, on-premises, or another cloud. You can also use configuration policies to ensure resources are configured consistently across all environments, regardless of location. Finally, you can manage updates and patches across all environments and provide appropriate protection and recovery mechanisms to mitigate risks.
In the same way that you can use Azure AD and roles-based access to control access to Azure resources, you can extend this to on-premises and multi-cloud resources.
You can leverage leading Azure security services across hybrid and multi-cloud environments such as Defender for Cloud and Sentinel.
It’s no surprise Microsoft is now a leading security vendor. With over $1 billion invested annually in cybersecurity research, it’s clearly paying off. With services like Azure Sentinel, they continue to mature and expand their focus on monitoring and securing various resources, from networks and IoT devices to apps, SQL databases, storage, and containers. They can even integrate this monitoring into Azure DevOps and GitHub, providing visibility down to the pipeline level.
Whether it’s a server running on premise or a Kubernetes cluster running on Google cloud, you can monitor health and performance, analyse performance metrics and logs, and get notified via alerts. Integration into service management tools like ServiceNow raises tickets automatically, and Azure can be configured to perform automated remediation actions.
Another underutilised but impressive tool is Azure Policy, which allows you to put guardrails around resource configuration. This can be as simple as controlling which resources are allowed to be deployed, or as complex as specific security configuration. With hundreds of policies covering various resource types, the degree of control is extensive. These policies can be used to either enforce or audit configuration.
Azure policy can ensure compliance to regulatory controls, with set compliance initiatives that provide reporting on ISO27001, MIST, PCI, and more, giving you an overall view of compliance.
If you want to manage right down to the hardware for your on-premise infrastructure, you can look at Azure Stack HCI.
Developed by Microsoft in conjunction with hardware vendors such as HPE, Dell, and Lenovo, Azure Stack HCI is an ideal solution for extending Azure management down to the hardware layer. This hyper-converged solution includes software-defined storage, SD networking, Windows, Linux, SQL, Kubernetes, virtual desktops, and Azure services utilising Arc. It’s flexible by design. You can start with a single node and scale up to a 16-node cluster, have the option to stretch the cluster across sites, and scale up to 16 petabytes of storage. You can centrally manage everything right down to the hardware level, applying policies and management from Azure.
Forrester evaluated the impact of early Azure Arc adoption on businesses, and the results were significant. In a composite organisation, IT operations productivity increased by 30%, spending on third-party tools decreased by 15%, and the projected return on investment (ROI) reached an impressive 206%.
However, regardless of what these figures look like in your organisations, by establishing a unified governance and management framework and applying a standard set of policies for all workloads you are bound to achieve reduced risk in your organisation.
You may think I’m looking at this from a very cloud centric viewpoint; but there are benefits to this approach. These cloud services are designed to work at scale. Like all cloud services they are always up to date, and you don’t have to worry about managing the toolset itself – just what you do with it.
I was talking to our CIO recently, and he remarked on how his team has changed over the last few years. Now that there are a lot of services, they no longer have to worry about working to keep the lights on. Instead, they can fully focus on higher return activities.
A robust plan around cloud policies, procedures, and guidelines helps us better balance digital transformation and mitigation of risks. However, there is an overarching governance lens I haven’t talked about yet – cost management. It’s a whole other topic of its own. Join me as we explore this more in Part 2 of this blog, where I discuss why cost management cannot be ignored.
Connect with a Data#3 Azure Solution Specialist to learn what Azure Arc and Azure Stack HCI could look like in your environment. Take advantage of Data#3’s Azure Hybrid Launchpad offering – an introduction to Azure Arc and Azure Stack HCI covering pre-requisites, platform requirements, sizing, connectivity and deployment options.