Tips for Azure Governance
Stay on top of your Azure environment costs without all the tedious management work.
Regardless of whether you’re new to cloud or you’ve been using it for years, it’s important to make sure you continuously think about governance.
While you may encounter issues within your cloud environment due to spiraling costs, incorrect tools or incorrect access being given to the wrong individuals, troubles don’t arise just because of these. These issues may all seem unrelated to one another, but they all stem from the same root problem; bad cloud governance.
Safeguarding your data in the right secured locations is vital, especially when it involves the handling of sensitive or confidential company information.
Table of Contents
1. Problems caused by bad governance
2. Security governance
3. Spending strategy
4. Guidelines for technology
5. Location governance
6. Conclusion
1. Problems caused by bad governance
A lack of governance, or bad governance practices, is the underlying reason behind the failure of most cloud projects. Without a lack of solid guard rails or strategy, the following can result:
· Unexpected cloud costs
· Data found outside juridictions
· Lack of audit trails
· No method of associating cost with department
· Unsafe personal data
· Unavailable component services in acceptable regions.
One big benefit to working in the cloud as opposed to on-premises is that you only pay for the resources being used. IT professionals will usually use cheaper costs as a selling point to upper management and, while this is true, if you don’t have a solid governance strategy in place you may end up with a surprisingly high Azure bill every month.
Having a well thought out governance strategy is beneficial to your whole team. It seeks to ensure that everyone is one the same page with the same systems, it shouldn’t be seen as an obstacle or a restriction to your team. Now, let’s see how we can set up your governance plan while covering the four keys to good governance: security, spending, technology and location.
2. Security governance
Security is generally the first thing people try to tackle when discussing governance, but it’s also one of the most mismanaged.
Firstly, use Azure Active Directory (Azure AD).
The most important part of security governance is the method in which identities in Azure are managed. Some companies will allow users to access Azure with just their Microsoft email rather than creating user identities in Azure AD. This is normally okay, until it isn’t.
While it’s not a common occurrence, there are situations where an angry employee can cause an abundance of internal damages if proper guardrails aren’t put in place. And while Microsoft does have procedures for retrieving stolen subscriptions, re-establishing your cloud environment will still involve a lot of time and legal action. Even after you’ve retrieved your Azure subscription, there may still be a noticeable loss of information.
Azure AD auditing allows you to take notice of certain steps being taken and, as a result, prevents damage. This include theft, but more often than not it’s users deviating in the wrong direction.
This brings us onto our next subject: who can access what?
This has nothing to do with a lack of trust in your employees, you should definitely trust your team. Putting security measures in place is more about having controls in place and warning alarms for when someone is doing something that isn’t permitted. There are two things to consider:
1. Does the development environments have to be separated from the production environments?
2. Does there have to be a restriction in place for what developers can access within these environments?
Now, while every company has differing needs and rules, it’s recommended that your development and production environments remain separate. On top of this, access in the development environment should be quite open, but access in the production environment should be more restricted.
There is a balance between confirming your data is secure and confirming your team can work as efficiently as possible. And, if your company handles information from other business’, you have to take their security requirements and needs into account. Azure Key Vault can help monitor encryption keys and confidential information, but you can also use secret servers or install a verification that prevents any keys within your code appearing in production. Regardless of what you choose to do, ensure your entire team is aware of guidelines and the methods required to access what they need.
3. Spending strategy
Having a strategy for overseeing your cloud costs and usage doesn’t necessarily mean you have to always pick the cheapest option. Pick the right technology your project requires, but make sure the costs incurring are reasonable.
This involves understanding what you’re paying for.
You have to see what’s going on in your environment in order to receive accurate cost reports and get alerts if something goes awry. While Azure offers some services and tools to help you do these tasks and monitor spending, you have to do others on your own. That’s why we’ve created a tool to make this easier for you. CloudClarity’s Cost Summary tool allows you to apply costs to tags and see immediate effects without waiting months for these changes to appear on your cloud bill.
As mentioned prior, one of the main selling points of moving to a cloud environment is that you only pay for what’s being used. In practice, however, many are paying for idle and unnecessary resources. We often aren’t aware of all the resources present within our environment.
If you compare your cloud bill for this month with last month’s or measure the progression of a project in relation to its budget, you have a greater likelihood of spotting abnormalities in your spending. It can also help you better visualize your future cloud costs.
It can help to also share responsibilities.
Having clarity over your cloud environment helps set reasonable budgets and make different teams/departments accountable for their expenditure. Team members can even include a cost estimation stage of a project. Sharing and involving your team in cost managements responsibilities can result in great outcomes. If you find a resource usage is over budget within a specific project, you can bring this up with the leader of that project to discuss what’s happening and how it can be solved.
You can also include owner tags so you can go directly to the resource owner to discuss the issue. CloudClarity’s Tag Manager tool can help you get an overview of all your tags and lets you manage them in bulk. This can help you oversee your tags, especially as your cloud environment grows.
But it’s important to remember that this isn’t about being “cheap” or “stingy”, rather it’s about having visibility on your spending by making sure it’s directed at what you actually need. This takes a lot of work and governance, but once the foundation’s have been set, cost optimisation becomes quite easy.
4. Guidelines for Technology
You have to establish guidelines on what types of technology to use for various situations, with the reasoning being to guarantee that your company and environment are working efficiently. Learning how to use and incorporate new Azure tools in your processes is great! However it introduces new risks, such as time dedicated to learning the new technology and learning how to scale with it.
First, you need to evaluate you team’s skills with the new Azure service you’d like to incorporate into your environment. You must also assess what your other options are, how data is stored in it, and whether that service is available in your Azure region. Microsoft constantly updates and releases new services, which is one of the great things about working in Azure. But sometimes we like a new service purely because of the fact that it’s new and exciting. If there’s a service your team is more familiar with and comfortable using, and if it will produce somewhat identical results, it would be best to stick with what you and your team already know.
The new service you’re looking at may still be in preview, so you will have to spend time and resources on learning how to use a service that may never be released. Or, the new service might be more expensive in your region in which case you’ll have to consider if you can run it securely in a different region.
You have to think about these things when you’re creating a guideline for your Azure technologies. But don’t mistaken these guidelines as strict rules because you may need to change them as your cloud environment progresses. You don’t want governance to overly restrict and control your developers, so it’s vital that your team know how to push a principle into review.
5. Location Governance
Azure data centres are organised and provided to end users based on region. Currently, there’s regions in 140 countries, but not all of these regions are identical. Some only allow specific VM sizes, while others have different costs for the same service. There are also cases where, if you want the nearest servers for the best security and speed, you may need to pay more and deal with more limited VM sizes. In other cases, you can get away with doing your work in a different region that works for your company.
Just remember that not all Azure regions are built the same.
Regardless, you need to have guidelines for how you want to team to make decisions based on Azure regions. If your business deals with data from other companies, or offers services to them, they may want you to use their region as opposed to yours. If you have a lot of international customers, your Azure environment may need to be geographically distributed. If you’re handling the cloud computing of your customers, your Azure location governance strategy should consider your customers’ location governance strategy. Perhaps they have consumers in a third location, which is the region you’ll need to be using.
These questions must be involved in your development processes. This will prevent instances where you’re halfway through completing a project and then you realise you’re in the wrong location, causing you to change your plans or start from scratch.
6. Conclusion
Creating a governance plan for your cloud environment is a major first step in ensuring your Azure subscription remains secure, efficient and organized. Once you’ve built it, you need to constantly reinforce and review your environment on a regular basis.
After your governance plan is implemented, your team will change — some people will leave, some may take on a different role and you may even hire new people. So, you need to make sure your governance strategy and guidelines are preserved in documentation. Your team needs to be engaging with this such that, regardless of how your team changes, they will always be following a well thought-out governance plan.
We know governance can be hard and daunting, so if you’re interested in making it easier, more efficient and less time-consuming, check out our app https://portal.cloudclarity.app/.
