One of the toughest lessons I’ve learned as I’ve spent over a decade of my life helping organizations build cloud security programs is how it’s governance, not technology, that’s the real challenge. Yes, the cloud is a dark box full of invisible technical razor blades, but those are manageable with a little time and effort. The real pain isn’t around figuring out the tech, but in figuring out how the heck to govern all that tech.
Because the fastest path to failure is to treat cloud governance like your non-cloud IT governance.
Organizations that ignore cloud and let it run wild and free always end up in trouble, and organizations that try to enforce their existing governance end up with… just a different set of troubles.
One advantage of my role as a researcher and advisor was getting to see the inside of a wide range of organizations as they managed these issues, and I saw both successes and failures. Over time, patterns emerge. And when it comes to governance, I saw a few threads that seemed to tie things together. I call this The Grand Unified Theory of Cloud Governance:
- Cloud has no chokepoints, and thus no gatekeepers.
- All administrative and management functions are unified into a single user interface that is on the Internet.
- Protected with a username, password, and, maybe, MFA.
- Technology evolves faster than governance.
I believe this encapsulates the essential governance challenges of cloud computing, but to flesh it out further:
- Existing IT governance is the natural outcome of scarcity due to working within physical facilities. We evolved separate teams to manage disparate, complex technologies like networks, servers, and various facets of security.
- The physical constraints and scarce resources of a datacenter required business units and application/development teams to work with the platform owners like networking to obtain resources.
- Many of our governance processes depend on this natural scarcity and platform ownership. A random developer can’t simply provision their own public IP address since they don’t have any administrative control of the network.
- Cloud computing removes scarcity, boundaries and gatekeepers. A full class-B network is only a credit card and a few API calls away. Cloud providers also leverage automation to simplify many aspects of infrastructure management (at least on the surface).
- Many of the advantages of cloud computing are the direct result of the elimination of resource scarcity, gatekeepers, and manual configuration. Automation, infrastructure as code, CI/CD, result in tremendous operational advantages, but are fundamentally incompatible with the scarcity and gatekeeper-driven existing governance.
- However, cloud unifies all administrative controls to a single console/portal.
- Which is Internet-facing and protected by a username and password.
- Thus, cloud breaks existing governance models and forces organizations into adopting more-distributed governance and shifting resources towards an identity-centric control
- This is a painful transition, because adopting cloud technologies is faster and easier than changing technology governance models.
It’s this essential conflict of decentralized administration with centralized risk moving at a blistering pace that most challenges governance and security. The most successful enterprise governance efforts accept the need for different governance implementations for cloud and non-cloud environments rather than trying to enforce one implementation across two totally different ecosystems. They run in parallel and unite at the top, but each environment is governed using a model optimized for it’s unique characteristics.
In future posts I’ll run through some of the best ways I’ve seen organizations govern cloud, but since I absolutely hate posts that raise issues and don’t provide answers, here are a few high-level tidbits:
- Centralize standards, visibility, and monitoring but distribute operations with tools like ChatOps.
- Provide frictionless flexibility in development, but rigid management in production with tools like CI/CD and infrastructure as code for consistency and auditability.
- Gatekeep access to critical/regulated data to narrow the scope of critical focus.
- Manage the IAM perimeter first, not the network.