Whether you’ve just started working in the cloud or your organization has been in it for years, it’s always worth your time to think about cloud governance. Rik Hepworth (@rikhepworth), Microsoft Azure MVP and chief consulting officer at Black Marble, reviews the four foundations of cloud governance to help you understand why it's so important and how to implement or review your governance practices.
Troubles in the cloud don’t arise simply because costs are spiralling out of control, the wrong tools are being used, or the wrong people have access to the wrong environments. During his presentation at Deploy, ShareGate’s expert-led event focused on Azure, Microsoft MVP Rik Hepworth explained that while these issues may seem separate from one another, they all stem from the same problem: a lack of Azure governance.
Ensuring data is secure and stored in the right places, both in terms of your Azure environment and Azure geographical locations, is crucial—especially if you’re handling other businesses’ sensitive information.
Thankfully for us, Rik was willing to share his insights on creating a governance plan that ensures your organization remains fast, flexible, and cost effective while keeping your data secure.
ShareGate has been helping IT professionals succeed in the cloud for over a decade. We hope this blog helps you better understand Azure governance. But if you’re looking for a tool to make managing Azure even easier, check out how ShareGate Overcast can give you better visibility and control in Azure.
You can watch Rik’s one-hour Deploy presentation to catch all of his details, anecdotes, and quips—or keep reading for a recap of the four core aspects of governance that he covered.
What are the biggest Azure issues caused by lack of governance?
As a consultant, Rik has worked with many different organizations’ cloud environments—which means he’s seen all different types of setups, requirements, and approaches to working in the cloud. He’s also seen how things can go sideways when there isn’t a well-thought-out governance strategy.
“It’s the forgotten cloud killer; it’s the underlying reason why most cloud projects fail,” says Hepworth.
When you don’t have a strategy in place, you’ll often end up with:
- Unexpected Azure costs
- Data outside accepted jurisdictions
- No audit trails
- No way to associate cost with department
- Component services unavailable in acceptable regions
- Unsecured personal data
One of the benefits of working in the cloud rather than on-prem is that you only have to pay for the resources you’re using. And IT pros often sell cloud migration to upper management by explaining that it will be cheaper. But if you don’t have a governance strategy in place, or a third-party tool to help you manage your Azure costs, chances are that your Azure bill will be a surprise every month.
The solution to all of these problems? Well-thought-out Azure governance.
Governance is something everyone on your team can benefit from. It helps ensure that you’re all on the same page, using the same systems, and staying on track—it shouldn’t be seen as a hindrance or a way to restrict your team.
“You don’t want to restrain your developers, but you need some kind of guardrails, a plan or framework, to make sure they can’t suddenly veer off the path and do things to introduce business risks or skyrocket costs.”
Now that we understand why governance is so crucial, let’s talk about how to set up your own governance plan keeping in mind the four essential pillars of governance: security, spending, technology, and location.
1. Build an Azure security governance plan
When we talk about governance, usually the first thing people think about is security governance. But according to Rik, it’s also typically the most mismanaged form of governance.
Make use of Azure Active Directory
The most important aspect of security governance is how you manage identities in Azure. Some organizations just allow their users access to Azure with their Microsoft email accounts rather than creating identities for their users in Azure Active Directory (Azure AD). “This is usually fine—until it isn’t,” cautions Hepworth.
It usually doesn’t get too extreme, but there are cases where a disgruntled employee can cause massive internal damage if safeguards aren’t in place. As a consultant, Rik has seen cases of an employee stealing from a business and then also purging their source code repo.
Microsoft has procedures in place to help you retrieve a stolen subscription, but it takes time and legal action to re-establish your environment. And even after a company’s subscription is re-established, they may suffer significant loss of data that was either intentionally destroyed or that only exists for short time periods.
With Azure AD auditing you can spot some of the steps being taken and prevent significant damage—such as theft, or in more common and less concerning cases, your users veering off in the wrong direction.
Who should have access to what?
Putting security measures in place is not about distrusting employees. Employees are what make a successful business; you should trust your team. But you should also have controls in place and alarms set to go off if someone is doing something they shouldn’t be.
So there are questions you need to ask yourself:
- Do we need to separate our development and production environments?
- Do we need to restrict what our developers can access in those environments?
Every organization’s needs and rules are different. But in general, Rik recommends (and ShareGate agrees!) that your development and production environments should be separate—and that access in the former should be very open, whereas access in the latter should be tighter.
There’s a balance to strike between ensuring your data is safe and ensuring that your team can work efficiently.
“We want to make sure we grant developers the access they need at the point that they need it.”
And again, if your business deals with other organizations’ data, it’s important to take your customers’ security needs into account.
When it comes to provisioning and managing encryption keys and secrets, you might want to use Azure Key Vault, secret servers, or put a verification in place that prevents any keys in your code making it through to production to ensure your customers’ data is secure.
Whatever guardrails you want to put up as part of your Azure security, make sure that everyone on your team understands the guidelines and how to get access to what they need.
2. Establish an Azure spending plan
Putting a plan in place to manage your Azure costs doesn’t mean that you have to go for the cheaper option every time. It’s not that you should always use Azure Functions over Azure App Service because Azure Functions tends to be less expensive.
You should pick the right technology for your project. But even then, you want to make sure the costs you’re incurring are appropriate.
Understand what you're paying for
You need to be able to see what’s going on in your Azure environment to get accurate and timely cost reporting and receive alerts if something goes wrong. Azure offers services and tools to help you do some of these things, you can do others manually, or there are third-party tools that can help you organize and optimize your Azure costs.
One of the selling points of moving your workload to the cloud is that you only pay for what you use. But in reality, many of us are paying for idle, abandoned, and redundant resources. Sometimes we’re saving a VM or storage space for an upcoming project—but more often than not, we simply aren’t aware of all the resources we have in our environment.
If you can compare this month’s spend to last month’s—or measure how a project is progressing in relation to its monthly budget—you have a better chance of catching anomalies in your Azure spending.
This is especially important if you’re providing cloud services to your customers; if you can’t accurately work out what resources you’ve used, then you can’t accurately charge for your work, which leads to lost revenues.
In addition to giving insights into how you’re currently spending money in Azure, having visibility over your Azure costs can help you better plan for the future.
Having this kind of clarity over your environment can help you set realistic budgets and hold teams accountable for their spending. You can even ask your teams to include a cost estimation phase in the planning stage of a project, ensuring that everyone is keeping costs top of mind.
Being able to share these types of cost management responsibilities with other members of your team can yield great results.
If you notice that there’s a spike in resource usage in a particular project, you can reach out to the owner of the project where the anomaly was detected to figure out what’s happening, why, and how to resolve it.
You can also make sure to include owner tags in your Azure tagging conventions so that in addition to the project lead, you can go directly to the resource owner to address the problem and come up with a solution.
When you add a resource owner tag, you can view Azure costs grouped by owner to get a better sense of what projects and departments are spending
At the end of the day, it’s not about penny pinching; it’s about having visibility and clarity to make sure that you’re spending your money on what you actually need.
It takes a good governance plan and a significant amount of work to lay the foundation for this kind of visibility and teamwork, but once you have it, cost optimization will be significantly easier.
3. Create a technology strategy for the cloud
The reason to establish guidelines for what types of technology to use for different situations is to ensure that your business is working as efficiently as possible.
Most people working as developers and cloud architects do what they do because they love trying new services and tools, learning new processes, and building solutions that are better, faster, and cheaper.
Learning how to use new Azure tools is great! But it can sometimes introduce new risk, like the time it takes to learn how to use the new technology and how to scale up with it.
Before deciding which Azure service would work best for your project, it’s important to first determine your team’s skills with that service, what your other options are, how it stores your data, and whether or not you can even use that service in your Azure region.
“There’s a lot to be said about the ‘stick to what you know’ approach as you dip your toe into Azure,” says Hepworth.
Sometimes we get excited about the idea of using a new service simply because it’s new. And one of the great things about working in Azure is that Microsoft constantly updates and releases new services. But if there’s a service your team is more familiar with that will garner similar results, it might make more sense to stick with what’s already working.
The new service might still be in preview, in which case you should ask yourself: Do we want to spend time and resources learning how to use it if we’re not sure it will ever be released from preview? Or, a service might not be available yet, or is more expensive in your region. If so, are you able to securely run it in a different region?
These are all questions you should consider when creating Azure technology guidelines. And they should be considered guidelines—principles and preferences rather than as immutable rules—because you may need to overwrite them at some point.
Remember, you don’t want governance to be a straightjacket for developers. So, as important as it is to create these guidelines and ensure that everyone on your team understands and follows them, it’s equally important that your team knows how to trigger a review of those principles later if they think it’s worthwhile to try something new.
4. Develop Azure location governance
Microsoft Azure’s datacenters are organized and made available to end users by region. Azure currently has regions in 140 countries across all the habitable continents (sorry Antarctica), but not all regions are built the same.
Some Azure regions only allow particular VM sizes. Others charge differently for the same services—something Rik was abruptly reminded of when Azure services in the UK came with a 20% surcharge after Brexit.
In some cases, if you want use the nearest servers to ensure the best security and speed, you might just have to deal with higher costs and limited VM sizes. But in other cases, you may be able to do your cloud work in a different region that still makes sense for your business.
Whatever the case, you should have guidelines in place for how your team will take into account and make decisions based on Azure regions.
If your business provides services or hosts data for other organizations, they might prefer that you do so in their region rather than in yours. If you have customers from different parts of the world, this could mean that you need to build out an Azure environment that’s geographically distributed.
If you handle your customers’ cloud computing, part of your Azure location governance plan should take into account your customers’ location governance plan. Maybe your customer has their own customers in a third location and that's the Azure region you should be using.
It’s important to build these questions into the development process so that you don’t get halfway through a project and realize that you’re in the wrong location, causing you to start over or change your plans mid-project.
Creating a cloud governance plan is a huge first step in making sure that your Azure environment is organized, efficient, and secure. But once you’ve built it, you need to implement, reinforce, and review it on an ongoing basis.
Your team is going to change after you implement your governance plan—some will leave or change roles, and you’ll hire new people too. You want to make sure that your Azure governance plan is enshrined in some set of documentation and actually used by your team so that regardless of how your team evolves over time, it will still follow a thoughtful governance strategy.
This can add up to a lot of manual labour. If you’re looking for a simpler way to manage your Azure environment, consider starting a free trial with ShareGate Overcast.