Understanding Enterprise
Cloud Governance
Maintaining control while delivering the agility of cloud computing
Most large enterprises have a hybrid or multi-cloud environment comprised of a combination of private and public clouds. But they have legitimate concerns about ensuring proper governance of these environments. To help you overcome governance challenges, this paper answers three critical questions:
• How does IT maintain security across the cloud environment?
• How can IT demonstrate compliance with required laws and regulations?
• How can IT control spending in the cloud?
Cloud governance is becoming an even larger issue as private and public cloud deployments become increasingly
This paper explains how organizations can address these three key requirements. Using best practices you can
overcome the challenges associated with maintaining control of your enterprise cloud environment.
Examples of enterprise cloud governance use
Enterprises today are incorporating various aspects of governance, agility and choice into their cloud management strategies.Here are some real-world examples of common challenges that enterprises face.
• Centralized security and compliance management—A leading global financial information and education company must
• Multi-tenant operations—A leading national telecommunications provider is supplying cloud services to a very large number of clients. They require a cloud management platform that allows them to cleanly separate client concerns, ensuring that the actions of any one client cannot impact the environments of others.
• Financial tracking and chargebacks—
A large advertising agency needs to track costs for their cloud infrastructure for various projects and clients. Charging clients and projects with the appropriate use of their clouds is difficult and time- consuming. Automating these processes both increases efficiency and client satisfaction.
How can IT maintain
cloud security?
Choosing the right tools enables organizations to maintain security across multiple clouds
Security requirements are driven by fear – fear of data being compromised or lost; fear of failing to meet
compliance regulations; and fear of falling behind the competition. These are valid fears. The good news is that hosting resources in the cloud — whether public or private — can actually enable organizations to improve their security profiles.
Typically, large enterprises have a hybrid cloud environment (also known as “multi-cloud”), comprised of a combination of private and public clouds. Ideally these are controlled by IT. But more and more often, business users are going directly to cloud providers to obtain the services they need and bypassing IT altogether.
So, how can an organization maintain cloud security with this decentralization? By choosing tools that manage encryption and access controls across hundreds or thousands of users, and by using automation for easy and secure implementation of tight security restrictions across multiple clouds. Putting the right tools in place can make it easier for business units to accomplish their goals — with IT acting as a trusted helper rather than a hindrance.
Encryption
Every organization should already be using encryption technology.
Encryption key management, however, can be challenging. At a bare minimum, each server should have its own keys for file system encryption, and ideally use a different encryption key for backups.
Some organizations even create separate encryption keys for each data volume. Managing the sheer volume of keys generated — plus ensuring they are securely stored, protected and retrievable when needed — can quickly become overwhelming.
Choosing a key management system The best way to deal with encryption key management is to integrate your key management solution with your cloud management solution. You then are able to leverage built-in automation features, such as support for automatic file system decryption and backup encryption. This also removes the need for admins to handle actual keys, which reduces the chances of keys being lost or stolen.
Some of the basic things to look for are:
• Cloud credentials maintained outside of any cloud provider
• Communication secured by trusted third parties
• Strong VM file system and data encryption
Cloud Manager provides the most secure cloud solution for your applications.
Dell Cloud Manager™ provides role- based security, allowing you to access or manage resources as required.
Users can be alerted to specific actions or issues and billing codes can be allocated to budget resources. Cloud Manager supports LDAP and Active Directory to allow you to leverage existing enterprise identities, groups and roles. Cloud Manager also lets you define the security profiles applied to user authentication.
Hosting resources in
the cloud—whether
public or private—
can actually enable
organizations to
improve their security
profiles.
Cloud Manager is capable of integrating with and augmenting user authentication via several methods, including:
• Username and password authentication
• Multi-factor authentication
• Security Assertion Markup Language (SAML) Federation
• OpenID with trusted providers
• LDAP authentication
Cloud Manager also provides single sign-on support for multi-cloud management.
By retaining all cloud credentials outside the cloud provider, Cloud Manager provides the most secure cloud solution for your applications. It acts as the guardian of your security keys and credentials, but has no access to your data and runs outside your cloud. All communication between the provisioning system and the credentials system occurs over SSL web services using an SSL certificate signed by GeoTrust, VeriSign, or GlobalSign.
Access Control
Access control ensures that the right people, and only the right people, have access to the right information, when they need it.
For example, employees within an organization’s Human Resources department need access to the salary and performance review history of employees company-wide. There could be serious legal repercussions if an unauthorized employee was granted the same access rights as that HR representative and started sharing confidential information.
Access control can be divided into two categories: authentication and authorization.
• Authentication is the accurate identification of users.
• Authorization is mapping the actions that a user is allowed to take.
Both are problematic for large
enterprises. The larger the organization
in use, the more likely it is that security will be breached, or at least diminished.
How do access controls work? The authentication piece happens first, whether it is via username and password login, a “multi-factor” login (for example, with a generated token), through an encrypted key, or through OpenID with a trusted provider. Then, authorization comes into play. You should be able to apply fine-grained role-based policies for all resources, tie resource usage back to budgetary policies, apply those policies to existing IT groups, and set alerts for specific actions or issues. Through the use of LDAP or Active Directory, you can leverage your existing groups and roles and use them to define cloud management policies.
Automated deployment
Cloud automation capabilities makes it far easier for organizations to implement encrypted file systems and backups, even within public clouds. Automated deployment greatly reduces the risk of user error and malicious actions.
How can IT demonstrate
compliance with required laws
and regulations?
The second critical requirement for security is being able to not only comply with required laws and regulations, but to demonstrate that compliance. Failing to meet compliance requirements can have legal and financial ramifications, so as cloud operations continue to grow, organizations must be able to clearly demonstrate compliance with required laws and regulations.
Most likely, your organization is already taking measures to ensure its policies, processes and environments are in compliance with the relevant regulations. But how do you prove this during an audit? Within cloud environments, logging, monitoring and alerting are three common approaches.
• Logging ensures that organizations can show that they are in full control of their systems, and it can also be useful for long-term analysis.
Cloud providers
generally do
not provide their
customers with logs
of what actions have
been taken by those
customers via the
provider’s console
or API.
• Monitoring is the process of keeping an eye on the logs to ensure that there are no potential security threats.
• Alerting helps staff proactively identify and solve emerging issues.
Logging
All compliance regulations require that organizations provide appropriate logging to demonstrate that they are in compliance with regulations. This documentation is used as proof that the organization is monitoring and can audit what is happening across all their systems. The ability to easily track user activity is also useful for maintaining security, and logs can also be used to show and forecast trends in usage.
When dealing with cloud — especially public cloud — organizations should be aware that there is a gap in the logging that is available. Cloud
providers generally do not provide their customers with logs of what actions have been taken by their employees via the provider’s console or API. As a result, the customer, by default, does not have any way of tracking which users performed what actions.
Therefore, it is important to have another solution in place for obtaining these logs.
Cloud management can address this issue by acting as a proxy between your organization and your cloud providers.
This enables your organization to capture all console or API-level logs in an easy-to-manage format.
Monitoring and alerting
Logging may be a requirement for compliance, but it is not a proactive solution. It’s important to monitor and review the logs on a regular, ongoing basis, and provide the appropriate response to any suspicious activity. The easiest and most secure way to do this is to have a system monitoring the logs and generating automated alerts. The alerts should trigger on whatever conditions are important to your organization.
This information is useful for the security, operations and applications teams — for knowing both when unexpected events happen and when expected actions don’t happen on schedule.
Managing logging, monitoring, and alerting
Cloud Manager offers built-in logging, monitoring and alerting services, plus the ability to integrate with a variety of third-party products, including Splunk, ArcSight and PagerDuty.
Auditing
The audit process is another integral part of any compliance regime.
Organizations must be assessed by authorized third parties and achieve certification asserting that the organization is compliant with the relevant regulations. Auditors rely heavily on logging as both direct and indirect evidence of compliance. Logs allow organizations to demonstrate that they are taking certain actions, such as regularly evaluating who has access to what resources.
Log audits show that there is sufficient evidence being gathered for the organization to be able to detect and respond to potential security incidents.
How can IT control spending in
the cloud?
Maintaining control of your environment requires maintaining control of your finances. But accurately tracking and limiting cloud spend across a myriad of groups, departments and projects can be a daunting task.
To maintain control of budgets at a granular level, enterprises must be able to:
• Track multi-cloud spending to the resource level
• Associate cloud resources with distinct cloud budgets
• Accurately calculate spend based on multiple currencies
There is no reason why organizations can't use the same budget-tracking processes for cloud resources that they use for the rest of their business.
Having controls in place that allow users to set and assign budget codes to specific resources, individuals or groups can also allow them to save money. By setting quotas, IT can monitor and even cut off cloud spending at the individual resource level.
There is no reason
why organizations
should not be able
to apply the same
budget tracking
processes they
already use to
the cloud.
Soft quotas allow alerts to be generated when resource costs tied to a certain budget code reach an assigned value. This allows the individuals within that group, or the administrator, to conserve additional resources. Hard quotas deny creation of new resources under that budget code until either other resources are released or the limit is increased.
Each time a new cloud resource is provisioned, Cloud Manager will track the cost and limit spending per your specific budget requirements. You can:
• Set budget codes by project, department, division or customer
• Monitor spending and receive alerts when forecasted spending is higher than the quota
• Cut off access to resources if spend reaches the budget cap
• View and track in the currency of your choice — no conversion required
About Cloud Manager
Cloud Manager is a cloud infrastructure management solution for deploying and managing enterprise-class applications in public, private and hybrid clouds. The solution’s multi- cloud architecture provides enterprises
around the world with agility, governance, and choice:
• Agility—Cloud Manager enables you to easily deploy and manage cloud applications across public and private clouds. Developers can leverage self-service provisioning, deploy applications to the cloud, and automate scaling based on system or application triggers.
• Governance—through simplified, standardized security management, elimination of over-privileged users, and consistent delegation.
• Choice—by delivering alerts on AD and GPO changes to reduce network and user downtime and by ensuring rapid recovery from accidental changes, deletions and administrative errors.
Cloud Manager also enables enterprises to leverage leading configuration management solutions Chef and Puppet across all supported clouds.
Dell provides consulting services to assist you in your migration into the cloud. We can help you design a deployment to meet your target SLAs and address issues such as scaling parameters, security and compliance.
For more information on Dell Cloud Manager, visit www.enstratius.com.
Figure 1. Cloud Manager is a cloud infrastructure management solution for deploying
Users
Public clouds Private clouds Dell Cloud Manager API
Dasein open source cloud abstraction layer
Digital Ocean
Security access and identity management Budget controls
Console
Provisioning LDAP/AD
SSO
Containerization
Configuration management Billing
systems ITSM Monitoring
systems Service catalog
Management Automation
Dell/RedHat SUSE Cloud 4
Cloud Manager is a
cloud infrastructure
management
solution for
deploying and
managing enterprise-
class applications in
public, private and
hybrid clouds.
© 2015 Dell, Inc. ALL RIGHTS RESERVED. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Dell, Inc. (“Dell”).
Dell, Dell Software, the Dell Software logo and products — as identified in this document — are registered trademarks of Dell, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners.
The information in this document is provided in connection with Dell products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Dell products. EXCEPT AS SET FORTH IN DELL’S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, DELL ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS,
IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL DELL BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF DELL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Dell makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Dell does not make any commitment to update the information contained in this document.
About Dell Software
Dell Software helps customers unlock greater potential through the power of technology — delivering scalable, affordable and simple-to-use solutions that simplify IT and mitigate risk. The Dell Software portfolio addresses five key areas of customer needs: data center and cloud management, information
management, mobile workforce management, security and data protection. This software, when combined with Dell hardware and services, drives unmatched efficiency and productivity to accelerate business results. www.dellsoftware.com.
If you have any questions regarding your potential use of this material, contact:
Dell Software 5 Polaris Way Aliso Viejo, CA 92656 www.dellsoftware.com
Refer to our Web site for regional and international office information.