Skip to main content

5. Govern Methodology

Overview

https://learn.microsoft.com/en-us/training/modules/cloud-adoption-framework-govern/

Governance needs

To balance digital transformation efforts, Tailwind Traders needs a cloud governance team that can find a way to meet the following basic governance needs:

  • Maintain compliance.

  • Create better cost visibility and control.

  • Apply a security posture consistently.

  • Remain agile to support scale and transformation.

Govern Methodology

  • Build a cloud governance team.

  • Assess cloud risks.

  • Document cloud governance policies.

  • Enforce cloud governance policies.

  • Monitor cloud governance.

Build a cloud governance team

Select the right team members. Select a small and diverse team to encourage quick decision-making and to include various perspectives. Define the roles and responsibilities of each team member.

Define the functions of your team. A cloud governance team should engage stakeholders, assess cloud risks, develop and update governance policies, and monitor and review governance. You can add more functions if needed.

Define your team's authority and scope. Ensure that your organization supports your cloud governance team so that you can enforce important security policies. Clearly define the scope of your cloud governance team's authority, and separate their scope from other teams' responsibilities.

Assess governance risks

Before you create new policies or update existing policies, you need to assess cloud risks to help define the new or updated policy. To effectively assess risks in the cloud:

  • Identify risks and catalog them. Use Azure tools to list cloud assets and discover cloud risks.

  • Analyze risks and assign a qualitative or quantitative value to each risk. Prioritize the risks by severity.

  • Determine the impact of a risk, for example downtime or cost.

  • Document risks, and inform all necessary parties in your organization about the risks.

  • Review risks regularly and in response to events to ensure that they remain valid and accurate.

  • Determine which risks are of the highest priority

image.png

Potential Risks

  • Overspending in the cloud

  • Not meeting organizational security or compliance requirements

  • Asset configuration that creates operations management problems or oversights

  • Unauthorized access that compromises systems or data

  • Immature processes or lack of team skills, which creates inconsistent governance

Document Cloud Governance Policies

The following examples describe proper cloud governance policies that help guide adoption in public and private cloud deployments.

  • Policy: Workload teams must set budgets alerts at the resource group level. Cloud deployments have a risk of overspending, especially for self-service deployments. An organization must allocate deployments to a billing unit with an approved budget and with a mechanism to apply budgetary limits. Design consideration: In Azure, an organization can control budget with Microsoft Cost Management. And Azure Advisor can provide optimization recommendations to reduce spending for each asset.

  • Policy: Microsoft Purview must be used to monitor sensitive data. An organization must identify, classify, protect, and govern sensitive information. Design consideration: In Azure, an organization must tag all deployed assets with proper data classification levels. A cloud governance team and application owner must review the classifications before deployment to the cloud.

How to document cloud governance policies

To effectively document your cloud governance policies:

  • Define an approach to document your cloud governance policies. Establish an approach for creating, maintaining, and updating the rules and guidelines that govern the use of cloud services.

  • Define your policies. Include a policy ID, policy statement, risk ID, policy category, policy purpose, policy scope, and the remediation strategies for a policy violation.

  • Distribute your policies. Use a centralized policy repository, and create compliance checklists to inform everyone who needs to adhere to cloud governance policies.

  • Review your policies. Schedule regular and event-based reviews, implement feedback mechanisms, facilitate change control, and identify inefficiencies in cloud architecture and operations.

Enforce cloud governance policies

Define an approach for enforcing policies. Delegate governance responsibilities, adopt an inheritance model for policies, apply tagging and naming conventions to the resources in the inheritance model, and implement a monitor-first approach to ensure a smooth transition to enforcement.

Automate cloud governance. Use cloud governance tools to automate compliance on a small set of policies and then add more policies. Incorporate infrastructure as code (IaC) tools or custom scripts or applications. Automate areas of governance such as:

  • AI
  • Cost
  • Data
  • Operations
  • Regulatory compliance
  • Resource management
  • Security

image.png

NOTE: DO NOT DEFINE POLICIES THAT LOCK YOU INTO A CLOUD VENDOR

  • These policies must be cloud agnostic Examples:
    • Tagging
    • Reporting

Design your governance solution image.png

Create a tagging policy

Tutorial - https://learn.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage#assign-a-policy

Suggested Tags:

  • Workload or application
  • Data sensitivity
  • Mission criticality
  • Owner
  • Department, such as cost center
  • Environment

Example - To avoid overspending:

  • Define clear spending limits for each individual or team in the organization.
  • Create a budget in Microsoft Cost Management to track spending.
  • Create alerts for overspending.
  • Put aside extra funds for unexpected costs.
  • Optimize resource usage.

Monitor Cloud Governance

After your policies are in place and you align your organization's processes and procedures to the policies, you must monitor your cloud governance. Use monitoring to determine areas that lack compliance and make changes to reduce noncompliance problems.

  • Use Monitoring tools and dashboards
  • Determine Compliance
  • Configure Alerts
  • Develop a Remediation plan

Cost management

  • Azure Monitor and Advisor
  • Budgets
    • Use Cost Management to monitor their spending and ensure that they stay within the budget.
    • Configure alerts to notify the billing unit leader when spending exceeds the budget.
    • Develop a plan to block certain expenses or limit expenses to certain roles if violations occur.
  • Find Opportunities to optimize
  • Azure Policy to prevent cost risks.

Summary

  • The Govern methodology.
  • Cloud governance teams.
  • Cloud risk analysis.
  • Cloud governance policy documentation.
  • Policy enforcement.
  • Cloud governance monitoring.