The Six Steps to Effective Cloud Governance

Achieve the fastest path to successful cloud adoption through effective enterprise cloud governance.

Moving to the cloud is essential for enterprises to compete and thrive. But most companies struggle to understand and manage their risk. Cloud presents critical governance challenges that, left unaddressed, threaten the financial health, regulatory compliance, reputation, and customer trust that are existential requirements for almost every organization.

The Six Steps to Effective Cloud Governance
The Six Steps to Effective Cloud Governance. Photo by John Schnobrich on Unsplash

Fortunately, the experts at Concourse Labs have created a framework that enables enterprises to observe and manage their cloud risk. By implementing these six steps, companies can achieve effective governance in the cloud.

Read on this article to learn about:

  • The critical and fundamental steps all enterprises should adopt on their digital transformation journey to avoid catastrophic business impact.
  • How Concourse developed a six-step framework model that is continuous and ongoing, delivered via a unique SaaS platform that automates every aspect of cloud governance.
  • The unique combination of innovative technology and deep enterprise that enables security teams to have the visibility and control they need, while freeing developers to innovate at cloud speed and scale.

Table of contents

Step 1: Assess the Current State of Your Cloud Risk
Step 2: Create, Test and Manage Policies
Step 3: Establish a Preventative First Line of Defense in Your Agile Development Process
Step 4: Continuously Monitor Cloud Usage as a Second Line of Defense
Step 5: Use Predictive Analytics and AI to Identify Anomalous Behavior and Recommend Policies and Controls
Step 6: Evaluate and Protect the Ecosystem
Conclusion

Step 1: Assess the Current State of Your Cloud Risk

The starting point for improvement is knowing your current risk posture. It is essential to inventory every application and service used in each of your clouds and assess it against these nine critical criteria:

  • Allowed services: Are only appropriate services being used?
  • Encryption at rest: Do all stateful services encrypt data?
  • Restrict internet ingress: Is ingress connectivity from the internet restricted only to appropriate applications?
  • Restrict internet egress: Is egress connectivity from the internet restricted only to appropriate applications?
  • Allowed regions: Is account access restricted to appropriate regions?
  • Secure perimeter: Are applications implementing virtual perimeters around themselves? Are these perimeters provably secure?
  • External network connectivity: Are cloud services able to interact only with appropriate external applications and data?
  • Change management: Are policies approved, deployed and modified only by appropriate people?
  • Custom policies: Additional policies specific to each organization.

This process can prove challenging because most organizations do not have good visibility into their actual cloud usage. Additionally, evaluating that use for conformance with basic policies can be laborious, taking weeks or months.

Concourse Labs has tools that make this process fast and simple. Using Concourse, enterprises can get a complete Cloud Governance Health and Risk Report in minutes.

Step 2: Create, Test and Manage Policies

With a baseline of risks and gaps in hand, the next step is to create effective policies to address those risks. These policies need to be described in ways that are unambiguous, so everyone in the organization understands their meaning, and the evaluation of an application’s state of compliance is provable and repeatable. They also need to apply across all platforms; otherwise, policies are fragmented, and a consistent governance framework cannot be ensured.

To keep up with the pace of agile development, the rate of change in the cloud, and the scale of cloud usage, policies must be codified in a manner that enables their evaluation to be automated. This requires some form of policy as code (ideally generated using no- and low-code techniques). Just as with software, policies become a core part of a company’s operations, and as such need to evolve and adapt to remain effective. They need rigorous testing, release management and version control. Establishing systems to do this becomes a core step in gaining control over cloud governance.

Concourse makes it easy to define a company’s policies as code and to test policies against all of their cloud usage, past and present. This ensures that new and updated policies accomplish their objectives, and exposes during the development phase unintended side effects which could be disruptive or even catastrophic if released into production. Concourse maintains a system of record of all policies and policy versions throughout history, enabling users to definitively prove their state of compliance at any point in time. And Concourse enables context-aware policies, tailoring policies to fit each part of the enterprise.

Step 3: Establish a Preventative First Line of Defense in Your Agile Development Process

Keeping non-compliant code from entering production is essential to managing cloud risk. That means the CI/CD process must include a review of every application release. This has historically been a challenge. Developers and security teams come from two different worlds, making communication and collaboration difficult. Developers are under pressure to innovate rapidly, while security teams were stuck with a large backlog, reviewing every application release. These controls slow application delivery, and security teams see their backlog growing rapidly.

In order to solve this dilemma, a new paradigm is needed. Instead of requiring security teams to review every application release, Concourse allows them to approve policies as code and then tests every application release automatically as part of the CI/CD toolchain. Validation times shrink from weeks or months to milliseconds. Policy violations are flagged, and developers are shown exactly where they occurred for easy and quick remediation. Developers don’t have to become security experts, and security teams don’t have to become cloud experts. The enterprise can innovate safely, at cloud scale and speed.

Step 4: Continuously Monitor Cloud Usage as a Second Line of Defense

Inserting governance into the development toolchain is a necessary start. But continuous monitoring of cloud usage at runtime is necessary to catch the drift, operational errors, attacks and shadow IT usage.

In the real world, “what should be” and “what is” are often different. Establishing continuous monitoring gives enterprises the ability to know – and prove – their actual risk posture. Such reports are necessary to provide reliable attestation to corporate boards, auditors, regulators, insurance providers, shareholders and other critical constituents.

Concourse provides continuous, near real-time monitoring of all your clouds and establishes your state of compliance at any point in time, current or historical. Monitoring is accomplished without any modification to applications and without the need to install agents. The actual state of cloud configuration is recorded in a time series database. This, along with a policy repository, provides an immutable system of record of the enterprise’s compliance posture throughout history. Reports can be generated showing the exact and provable compliance status for any point in time.

This observability was not possible before. Concourse ensures security and risk teams know what’s happening in their cloud and its implications for their business.

Step 5: Use Predictive Analytics and AI to Identify Anomalous Behavior and Recommend Policies and Controls

As Cloud Service Providers rapidly expand their already large set of cloud services, and as more (and more complex) applications move to cloud, it becomes unrealistic to expect staff to identify the complete set of required policies a priori. By using advanced analytics and artificial intelligence, enterprises can spot behaviour which may indicate previously unknown risks and automate the creation of policy recommendations. Using these technologies brings an additional level of protection to an enterprise’s cloud governance system.

Concourse combines its immutable records of cloud usage and policy with advanced statistical modelling and AI techniques to identify unusual user behaviour, data transfer, privilege, network connectivity and other factors to identify potential risks. Staff can review these and assess where to focus. Policies can be developed to protect against the risk, and workflows initiated to remediate the vulnerability.

This technology is also central to providing effective governance for applications built on Platforms-as-a-Service (PaaS). PaaS is typically a “black box” with limited introspection opportunities. By automatically comparing current behaviour to baselines, risks can be identified and assessed.

Step 6: Evaluate and Protect the Ecosystem

Enterprises increasingly rely on third parties for critical parts of their value chain. Cloud services accelerate this trend, making it easy for companies to integrate their applications with each other through APIs. For an enterprise to ensure compliance with its policies, it becomes necessary to know the compliance status of third-party partners. Typically, this is done through contract terms: statements of intent, perhaps coupled with audit rights. But these terms do not evaluate and attest to the state of compliance of partners, nor is such evaluation typically practical, especially on a continuous basis. The partners may themselves be unaware of their state of risk and compliance. Critical intellectual property and private information may be exposed, and its owners are typically oblivious to the risk.

Thus, to have a comprehensive cloud governance regime, organizations must have the capability to know and prove the compliance posture of their entire ecosystem at every point in time.

Concourse provides this visibility, enabling enterprises to prove compliance across their ecosystem to governance bodies, auditors, regulators and customers.

Conclusion

Achieving effective enterprise cloud governance is a complex challenge. The six steps presented here are a proven path to success.

Source: Concourse Labs

Thomas Apel Published by Thomas Apel

, a dynamic and self-motivated information technology architect, with a thorough knowledge of all facets pertaining to system and network infrastructure design, implementation and administration. I enjoy the technical writing process and answering readers' comments included.