[Book preview] Do you really need a cloud governance plan?

Image of blue background with illustrated azure logos and steering wheels. Image of blue background with illustrated azure logos and steering wheels.

One of our favorite Ignite 2019 moments was the release of author, speaker, and IT extraordinaire Jussi Roine's second book. A sequel to Modern Business Powered by Microsoft Azure, which introduced Microsoft's public cloud offering and its value and potential for organizations of all types and sizes, Volume II focuses on one of the most critical aspects of maintaining healthy IT environments: governance.

Here's an excerpt from the book, which you can download for free right now! Enjoy!

What is governance, and why should you care?

I’ve spoken and written about governance for a long time already. A pessimist might state that governance is a long and arduous process; one that ultimately produces a hefty document stating what is and isn’t allowed in a given environment. Also, nobody will read it.

Wikipedia’s short and succinct definition of IT governance, on the other hand, is quite likeable:

IT governance primarily deals with connections between business focus and IT management. The goal of clear governance is to assure that investment in IT generates business value and mitigates the risks that are associated with IT projects.

Essential here is connections between business focus and IT management. These are often intertwined, yet disconnected in nature as they are critical functions and at the core of governance in our context.

As part of an overarching umbrella term called Azure Management, governance is critical. It consists of the following services within Azure:

  • Management groups
  • Resource Graph
  • Policy
  • Blueprints
  • Azure Lighthouse

We’ll walk through all these services in more detail throughout this book. For now, suffice to say that management groups are the governing body for what can and cannot be done within an Azure subscription (or through multiple subscriptions). Policies and Blueprints tie individual (and sometimes minuscule) rules together, and Resource Graph acts as an intermediate for exploring and querying across resources.

Azure Lighthouse is the latest addition to this collection of services, bringing more advanced and sophisticated management capabilities for managing multiple Azure tenants through delegated access. While it isn’t strictly part of the ethos, pathos, and logos of Azure Management, it’s the kairos for bringing clarity into managing multiple—often disparate—Azure tenants.

Does governance matter?

If you’re the type that casually browses tech news online, perhaps listens to podcasts and attends conferences with talks on interesting matters, governance probably isn’t the most exciting topic you’ve come across.

About a year ago I did a talk on Azure Governance for a somewhat diverse and broad audience. A good friend of mine was in the speaker room with me before my talk, as I was doing final checks and preparations for my session.

I’m a seasoned speaker, having done thousands of presentations, workshops and classroom training, but I’m still very adamant in verifying everything is top-notch for a delivery.

My friend casually asked what my session was about, as he works mostly on Office 365 and the productivity side of things—thus, with a little less technical viewpoint to cloud-based services and solutions.

I told him it was about Azure governance. Without missing a beat, he pretended to fall asleep and snore.

Yes, that’s governance for you—or, at least, a not-so-uncommon perception of what governance can be. Don’t worry—my goal isn’t to put you to sleep with this book.  

The next wave of cloud adoption

As I wrote in my previous book, many companies and other organizations are now riding the second wave of cloud adoption.

The first wave was all about lifting and shifting those ugly gray boxes with blinking lights and noisy fans to the cloud. This mostly meant moving physical servers to virtual machines, or moving existing virtual machines to the cloud.

There’s nothing inherently wrong or painful about this, but the fact of the matter was—and still is—that nothing really changes with this approach. Perhaps you’ll save a bit on your electric bill, and you’ll certainly benefit from enhanced security in some scenarios. But other than that, for many companies, the first wave of cloud adoption was a matter of moving existing problems from one hand to the other.

The second wave is proving to be more mature, with a focus on integrations and cloud-native approaches.

By shifting virtual machines and other monolithic custom implementations to more agile, modern, and flexible environments, companies can finally begin to reap the gains of public clouds. No more rebooting servers after Microsoft’s Patch Tuesday, no more Windows or Linux upgrades, and no more XCOPY-deployments to critical production servers.

For organizations already embracing the cloud, this second wave represents an intersection of sorts.

The truth is: a lot of businesses choose the first option. “It’s the cloud!,” they say. “Don’t worry, we can just delete the old stuff.” But they rarely, if ever, will.

The creeping consequences of improper governance

I’ve surveyed and analyzed dozens of Azure environments that had either been outright forgotten or were in dire need of cleaning up. Perhaps the administrator had changed companies, or maybe someone provisioned a new corporate-owned Azure without realizing that an Azure tenant was already registered under a Microsoft Account-based identity. What these environments typically have in common is a collection of resources like this:

  • Virtual machines that are stopped (shut down) with names like PRODUCTIONWEB01 and SQL2008PROD. You can see the problem this introduces.
  • Azure Functions (part of the serverless paradigm, allowing custom code to be executed with managed servers) that are undocumented, and either executing dozens of times a second or no longer executing at all
  • Multiple empty or seemingly abandoned virtual networks (VNets) that still have some traffic going in and out

The list goes on.

This type of situation denotes obvious security issues. Perhaps it means that nobody is monitoring and reacting to alerts, Azure Advisor messages, or Azure Security Center notifications. Perhaps the problem is that no one is in charge of validating Azure invoices, as they look more or less the same each month, so everything appears to be in order.

We need governance for the same reasons cities need stop signs and speed limits. Without clear boundaries and best practices, things tend to rapidly devolve into chaos.

Book 2 illustration

Get started with governance the right way!

Learn the ins and outs of cloud governance and how it can benefit your Azure environments in our new book, Modern Business Powered by Microsoft Azure: Governance.

Recommended by our team

What did you think of this article?