AWS, Cloud Governance & Compliance, Cloud Services, Azure, GCP
5 Questions to Ask When Looking for a Cloud Management Platform
When it comes to effective cloud adoption, Government IT leaders face challenges on multiple fronts. From the executive and legislative branches, they get directives and requirements to adopt the cloud faster and more efficiently. Technology innovation continues to accelerate, with major advances in computing power, virtual networking, and AI in just the past few years. And the number of vendors competing for government business has also increased, all claiming they have the best cloud solution.
We’d like to arm government decision-makers with five questions to help clarify these often confusing pictures. When considering a cloud management platform, these questions and the answers provided will separate the potential partner from a dubious pretender.
1. Does Your Platform Automate Manual Processes?
In contrast to running in a traditional data center environment, automating manual processes is essential to leverage cloud infrastructure successfully to receive the full benefits of the cloud, such as cost transparency and efficiency, scalability, and greater security. This can include tasks such as automated storage and backups, managing security and compliance, financial management, changing configurations and settings, and deploying code.
As virtualization and cloud computing continue to rise in popularity, the required tasks to manage cloud environments multiply, as does the workload for internal teams. Manually scaling, provisioning, configuring resources, setting up virtual machines, and monitoring performance is repetitive, inefficient, and leaves the environment vulnerable to errors from mistakes made during manual completion.
Due to the near-limitless size of the cloud, manually performing tasks can reach a scale that becomes impossible without automation. Such repetitive tasks include:
● Creating users and granting them permissions.
● Sizing, provisioning, and configuring resources such as virtual machines (VMs).
● Invoking virtual networks.
● Monitoring and managing availability and performance.
Cloud automation enables IT teams, freeing them from repetitive and manual administrative tasks, to focus on more meaningful work that aligns closer with mission needs, such as integrating higher-level cloud services or developing new product features instead of being bogged down by manual provisioning and configuration.
While freeing IT teams to focus on more impactful activities, automation can also put boundaries around processes in a way manual activities can never match. By leveraging cloud automation, agencies can do things such as:
● Provide large amounts of new accounts configured with pre-defined guardrails and budgets
● Prevent overspending with financial enforcements that freeze or terminate resources when thresholds are exceeded
● Automatically remediate noncompliant findings
● Prevent drift with automated guardrails that stop non-compliant activities and resources from being performed and provisioned
Cloud automation also significantly benefits software development teams operating under the continuous deployment strategy, aka DevOps/DevSecOps. Continuous deployment aims to automate the deployment pipeline to increase the frequency of updates to applications. Proper automation can enable development teams to deploy automatically to a preconfigured cloud-based IT environment, driving innovation and more frequent deployments.
Don’t settle for a vague, high-level answer to this question. You won’t be able to scale and take advantage of the cloud without automating manual processes.
2. Can Your Platform Identify Gaps in Cloud Compliance and Proactively Remediate Them?
Cloud compliance is the practice of ensuring that agency cloud environments follow the required regulatory frameworks and compliance standards of the federal government and the citizens they support. The cloud promises unprecedented speed, agility, and flexibility for government agencies; however, storing, processing, and otherwise transmitting sensitive data through a third party, such as a cloud service provider (CSP), comes with numerous inherent risks.
The cloud offers accessibility, but it also creates open, decentralized networks with increased vulnerability if not configured properly. As an added dimension, most cloud environments need to comply with multiple compliance standards such as SOC2, ISO 27001, NIST, FedRAMP, and more.
When approaching cloud compliance, it's important to understand the shared responsibility model. AWS, Microsoft Azure, and Google Cloud have shared responsibility models that delineate the responsibilities between the cloud provider and the government customer.
An easy way to differentiate between who is responsible for compliance in the cloud is that the CSP is usually responsible for the “security of the cloud” while the government customer is responsible for “security in the cloud.”
This means that the CSP will handle securing and maintaining compliance for infrastructure that runs all of the services offered in the given cloud service; the hardware, software, networking, and facilities that run the CSP’s cloud services.
Customer responsibility varies based on many factors, including the services and regions they choose, the integration of those services into their IT environment, and the laws and regulations applicable to their agency and workload.
It is important to understand the shared responsibility model of the CSP(s) you’re using. Once you understand the respective shared responsibility model and how it generally applies to operating in the cloud, you must determine how it applies to your specific use case.
Key Components of a Cloud Compliance Framework
Make sure that any vendor you talk to can explain the main components of their cloud compliance framework, and how it works for customers. These are:
Cloud governance is a defined set of rules and policies that dictates how a specific organization will run services in the cloud. As more and more government agencies adopt the cloud, it is imperative that forethought be given to how a given organization will effectively and safely use the public cloud.
Ask how the cloud management platform handles essential governance areas such as:
● Asset management: Inventory all cloud services and related data. Then define configurations to prevent vulnerability.
● Cloud strategy and architecture: Characterize the cloud structure, ownership, and responsibilities and integrate cloud security.
● Financial controls: Develop processes for requesting and purchasing cloud services, allocating budgets, associating costs, and balancing cloud usage with cost-efficiency.
Agencies should consider using automation to place guardrails to prevent unwanted changes, continuously monitor cloud configurations for issues, and proactively remediate misconfigurations before they affect productivity.
Identity and access management (IAM) controls frequently experience changes in the cloud. To best manage changes and ensure the integrity of IAM controls, listen to hear if potential vendors recommend doing the following:
● Continuously monitor root accounts, for example, IAM Users in AWS, as they can allow unrestricted access. Disable them completely or use as few of them as possible with associated monitors and alarms and always require multi-factor authentication (MFA).
● Utilize role-based access and group-level privileges. Only grant access if there are justified business needs and only grant the minimum level of privileges necessary.
● Disable dormant accounts and implement effective credential and key management policies.
Continuous monitoring and logging of all activity are extremely important due to the complex nature of the cloud. It is impossible to manually track everything.
Capturing the who, what, when, where, and how of activities not only helps agencies be audit-ready but is the primary means of verifying adherence to various compliance frameworks.
Proper alerting to escalate risky behavior is paramount for security. These are best practices vendors should recommend for configuring monitoring and logging in your cloud environment:
● Enabling logging on all cloud resources
● Defining metrics and customizing alarms to avoid alert fatigue
● Encrypting all logs and not storing them in public-facing storage
Reports provide current and historical proof of compliance. These reports can be thought of as a compliance footprint for your cloud. These are necessary components to completing most compliance audits as they supply a complete timeline of all events in a given period. They also serve as critical evidence should a security incident occur.
Potential vendor partners should have detailed answers for ALL of these compliance components, and how their platform can proactively remediate gaps when found. Compliance can be thought of as writing a thesis for a doctorate or a large school project.
Many agencies take the approach that they only address compliance right before audit time and scramble to get a mountain of work done right before the due date. Just like a thesis or complicated project, this results in a subpar output. Just like a thesis that may need to be reworked or delayed, failing a compliance audit can interrupt mission-critical work and lead to embarrassing testimony in front of Congress. Agencies become vulnerable when they are lax in their adherence to requirements and that’s even more dangerous in the cloud.
3. How Do You Visualize and Attribute Financials in Your Platform?
Once your IT environment moves outside the physical walls of the agency financial management becomes more difficult and complex. Agencies need real-time visibility to identify overspending, enforce budgets, and stop wasting money on unused cloud resources.
No organization wants to be overspending on cloud services they use or, even worse, on services they shouldn't be using at all. In a multi-cloud world, where there can be thousands and even millions of entities across multiple cloud service providers, it can be difficult to configure each account to prevent overspend.
The native services offered by the cloud service providers are excellent for monitoring cloud spend and alerting potential overages, but sometimes alerts aren't enough. Many organizations want to automatically enforce budget limits by preventing excess spending in the first place. Financial enforcement actions are configurable actions you can set on a funding source or project when a spending threshold is surpassed. This spending threshold is determined by triggers and events you can customize at each level.
Ask a prospective vendor the following questions to determine if their platform can enable financial enforcement actions made up of the following customizable variables:
● Enforcement Type – are you allowed to select whether the level and service to which the enforcement applies?
● Triggers – which events initiate an enforcement action? Decide what combination of time and funds spent/remaining will set off the action. Triggers include the Timeframe for measurement, the Spend Option (to specify the trigger based on Spend, Remaining, or Spend Rate), a dollar or percentage value, and if you selected Service Enforcement, the Service to which the enforcement applies.
● Events – what actions do you want to take place when a trigger's conditions are met?
● Notifications – which users and groups will be notified when a financial enforcement action is triggered?
The latest platforms offer a modular approach to financial management. Agencies can choose are able to select from a toolkit of features to tailor functionality to their specific use cases, as their needs dictate. The way they configure these tools will move their financial management towards a more or less restrictive structure.
4. How are You Meeting Elevated Cloud Security Requirements?
For all its benefits, the move to the cloud has also created serious vulnerabilities due to a lack of clear standards for usage and access.
Many agencies are learning as they go along when moving to the cloud. The movement of IT resources to the cloud has preceded a management structure to monitor and control how cloud resources are provisioned and used. From a security perspective, the lack of usage guidelines for hardening, encryption, and vulnerability monitoring access can create new vulnerabilities. If these usage guidelines are not known by the cloud users or enforced through cloud governance monitoring, then the security posture degrades rapidly.
True cloud security can never be accomplished until cloud security is integrated into the overall security posture of the enterprise. AWS, Microsoft, and Google Cloud have all launched cloud-native security centers in the past few years, focused on helping their client manage secure cloud hosting environments.
But these services need to be integrated into the security technology currently used in the agency SOC – typically a Security Event and Incident Management (SEIM) tool such as Splunk. True security requires binding together the threat landscape from security systems, email, IT/ OT, and business technologies across the entire agency. It’s a massive organization management challenge as much as a technical challenge.
There are proven industry standards they can embrace like Center for Internet Security (CIS) Benchmarks (for AWS, Azure, and GCP), NIST SP 800-207, and AWS Foundational Security Best Practices. Agencies need to decide which standard to enforce and make sure that any platform vendor has enforced that standard for other customers.
The Office of Management and Budget (OMB) has released multiple memorandums highlighting cybersecurity improvements required and deadlines for achieving them. Leveraging solutions developed by the CSPs can mean achieving these goals and improving cloud network security in months rather than years.
For example, OMB M-21-31 relates specifically to agency logging, log retention, and log management, with a focus on ensuring centralized access and visibility for the highest-level enterprise security operations center (SOC) of each agency. Many agencies are seeing they are not logging nearly as many events as they should be - in some cases they should be logging 10 times the current number.
OMB M-22-09 provides specific goals and deadlines for implementing zero trust. The goals are organized using the zero trust maturity model developed by the Cybersecurity and Infrastructure Security Agency (CISA). CISA’s zero trust model describes five complementary areas of effort (Identity, Devices, Networks, Applications and Workloads, and Data), with three themes that cut across these areas (Visibility and Analytics, Automation and Orchestration, and Governance).
Within each pillar, the maturity model provides agencies with specific examples of a traditional, advanced, and optimal zero-trust architecture. OMB is requiring that agencies achieve these specific zero trust security goals by the end of the Fiscal Year (FY) 2024.
Any platform vendor should have a clear strategy on how your agency will meet these security requirements prior to that deadline.
Another vital security consideration for any government agency is securing the transmission of sensitive data. Cloud-based, software-as-a-service tools can seem attractive; however, even with FedRAMP certification, the agency assumes risk whenever the data leaves the security of their own environment and is entrusted to a vendor.
Self-hosted platforms continue to demonstrate their security advantages, especially with data of higher impact levels such as IL4, IL5, and IL6. When a solution is self-hosted inside of the agency’s cloud environment, they have complete control over the platform and eliminate the risk of sending data outside of their environment. This helps to reduce the scope of many security and compliance requirements in ways that cloud-hosted SaaS platforms cannot.
5. How Does Your Platform Track Cloud Performance Monitoring?
A critical capability in cloud platforms is the ability to monitor performance across environments, workloads, and applications. Doing so not only helps agencies more efficiently scale resources, but also improves IT management and governance.
Performance monitoring gets more complex when moving from on-premises to a cloud environment. Agencies with visibility into performance monitoring can seamlessly scale cloud infrastructure and applications — expanding and contracting services and resources on-demand. A big piece of scalability happens behind the scenes: how cloud infrastructure is architected, managed, and secured.
COTS tools have out-of-the-box capabilities that help agencies gain visibility. For example, they offer a console or dashboard for centralized management and security and a unified view of performance. Administrators and developers can set access policies and manage cloud configurations and clusters of virtual machines or compute resources — all in a single place.
COTS solutions include, but are not limited to: Google Anthos, IBM Cloud Paks, AppDynamics, OpenStack, Apache CloudStack, Cloudcheckr, Apptio, Rackware, Cisco Cloud Center, and ServiceNow ITOM.
Advantages of COTS:
● This approach is most appropriate in hybrid and multi-cloud environments which require integrating multiple data sources into a third-party platform. Teams remain “agnostic” and only have to learn and maintain one tool versus multiple cloud-native and on-premises services.
● Get multiple cloud management functionalities in one solution.
Disadvantages of COTS:
● Typically do not offer direct platform integrations or managed service offerings.
● It’s new software that must be updated and maintained, which increases IT complexity.
● COTS solutions may also create further complexity and higher costs associated with Kubernetes clusters if the middleware inside those environments is cloud-native services.
Make sure your vendor can weigh these pros and cons for your agency and supply success stories.
We hope these questions are useful to you in your cloud automation evaluation process. To some extent, the needs of every individual agency will be unique to its mission but every agency evaluating a cloud management platform should have a degree of confidence in the answers to each of these five questions.
If you’d like more confidence in answers to these questions or would like to understand the capabilities of modern cloud management platforms, we encourage you to contact us. Simple Technology Solutions (STS) and Kion are now working together to make the cloud easier for government to adopt. Both companies have a track record of successful cloud deployments and close relationships with all three of the major CSPs.
Let’s talk and see if we can put this experience to work for you. Contact us to start a conversation around your needs.
Kion is STS’s preferred software solution for enterprise cloud management. We pair STS cloud automation engineers with the Kion product to define and automate agency standards for cloud account setup, access, and control; cost management and budget enforcement; and continuous compliance. Together we make enterprise cloud easier by providing a single pane of glass for managing cloud resources across multi-cloud environments.
Austin is the Director of Product Marketing at Kion