What Are the Benefits of a Cloud Governance Model for Feds?
In its most basic sense, a governance model is how agencies establish which people have access to which resources and under which circumstances. Everything then flows from that model.
If an IT leader knows that certain personnel have access to create new cloud resources, it means that when they are created, the leaders can ascribe that activity to specific individuals. Any resources that are spun up, whether that means a new virtual machine or a database, can be tied to a person and specific purpose.
There are several important consequences of this in the cloud context. One is related to security, as governance allows IT leaders to know that the creator of the resources was supposed to do so and that the activity was legitimate. Role-based access control can ensure that only the people who need access to create cloud resources can have that access, and only under certain conditions.
Additionally, cloud governance enables agencies to more accurately budget for what their cloud costs are going to be. Since leaders know that only certain people can create cloud resources under specific circumstances, they can more accurately predict how many cloud resources will be used.
How to Implement Cloud Governance for Federal Agencies
In practice, cloud governance boils down a series of written policies that identify roles, access and conditions for cloud resource creation.
These policies are important because with cloud, it can be easy for too many people to have too much access to create resources. From a budgetary standpoint, governance makes it easier to pinpoint the actual use of resources.
From a technical perspective, agencies should also, as a best practice, make sure they are tagging all of their cloud resources. This can help agencies get a granular level of detail on what is being used and is important from a budgetary perspective.
For example, let’s say someone in the agency has access to virtual machines that are being used for four different projects. By tagging the resources properly, an agency can have visibility into what projects the VMs are connected to and billed to. If one project is at 97 percent of its budget for cloud and another is only at 6 percent, it is critical to know if something is being spun up for the project at 97 percent, since that might push the project over budget.
The creation of cloud governance should be a partnership between IT departments, cybersecurity departments and business or mission areas. Agencies can and should avail themselves of trusted third parties to help them with cloud governance creation.
Ideally, agencies should move toward an Infrastructure as Code model, in which personnel only have permission to deploy cloud resources that are in the cloud repository or IaC code library they are using. That will ensure that expensive cloud resources are not being accidently spun up.
Cloud governance should be an extension of the on-premises governance an agency has for access to in-house IT resources, and the same policies should govern access in the cloud. That will help make the process smoother, and agencies won’t have to reinvent the wheel.
No one wants to be surprised, either by an expensive couch randomly appearing in their house or by a costly cloud bill. Governance ensure that agencies can understand what is running in their cloud environment, who has access to it, who created it, how much it costs and how long the resources will last.