The basics

FromLearning Cloud Computing: Cloud Governance

https://www.lynda.com/IT-Infrastructure-tutorials/basics/574701/606270-4.html

- So lets talk about cloud governance. Governance is a loaded word, it means that we're
controlling something and we're leading something and we're looking over something over
time. In the world of cloud computing, it means that we're setting parameters around certain
resources or certain services. For example, we may have an API that produces customer
information. Well that API can be only leveraged during customer hours. That API can only be
leveraged by particular people. That API can only externalize information they're authorized to
see.

And all those sort of things are really kind of part of governance. It really provides guard rails
to make sure that we're not abusing our resources, not necessarily on purpose, but by
accident. That we're using resources as prescribed by certain policies that we're creating, and
that we're in essence allowing the cloud-based system to operate effectively, because we're
placing limits on ways it can be leveraged. So governance is one of the most important aspects
of building cloud-based systems.

I can't stress this enough. It's often forgotten, so you'll find that most people that are building
cloud-based systems are not paying attention to courses like this. So they're looking at security
and management and monitoring and all that's fine, but you need governance too. Things are
widely distributed and thus difficult to manage. So when you think about governance, you
think about the ability to manage various systems that are widely distributed all over the
place. In the case of governance, resource governance including multi-cloud governance is part
of the trick.

So we may have Google cloud, we may have Microsoft cloud, we may have Amazon Web
Services cloud, and then we have some sort of a governance tool, like a cloud management
platform that sits over and above these multi cloud that allows us to allocate and deal with
these resources through a single abstract interface. So these are the foundations of cloud
governance. We have service governance, which basically governing APIs services. Security and
governance, which are joined at the hip. Compliance and governance, in other words setting
up compliance policies around making sure we don't run afoul of the law.

Governance tools, governance deployment, and then resource governance which is basically
governing the major coarse grain resources that you find in the cloud, such as storage,
compute services, things like that. So we'll see this framework a lot as a I break this down. The
types of cloud governance solutions out there look like this. So we have cloud governance
technology, and we have service-based governance, resource-based governance, and security
and compliance. Service-based governance being APIs, web services, things like that. In other
words, at a very fine grain level. Resource governance being things like storage and compute,
that may have actually web services part of that but we're managing those resources as
holistic resources.

And then security and compliance where we're actually linked in with various security systems
to make sure that we're governing for policies that are set by security, and we're not in conflict
with how the security system works or how the compliance system works. And under those we
have run time, which is automated, active which is automated, as well as passive. In other
words, something that's able to become automated and carry out its services at that particular
time, versus something that will not carry out a particular service because it's passive. It's
going to alert somebody, but it's not going to take care of the issue automatically.

And then we have active and passive under security and compliance as well. Then we have
different underpinnings of that, service oriented, security oriented, design time oriented, you
can read those yourself and we're going to get into those in later videos.

Resource governance
FromLearning Cloud Computing: Cloud Governance

- [Instructor] So let's talk about resource governance. Again, resources are typically
going to be coarse-grained Cloud resources such as storage database services, compute
services, virtual services, perhaps cues, things like that, things that are major players
within the infrastructure as a service provider that we're basically governing. So when
you think about resources and resource management, this is about allocating, managing
resources while they're allocated, and de-allocating resources as we need them. What's
interesting about this is that you can certainly do that within the Cloud provider and
we've provided several demos here as to how you're going to do that, but this is about
putting another layer of abstraction on top of the Cloud provider and perhaps including
additional Cloud providers and being able to provision resources through a single pane
of glass or a single interface.

And so when we talk about governing resources, we're typically going to be talking
about Cloud management platforms or tools that are really designed to run and manage
these resources through an abstraction layer across different cloud providers. And we'll
see a demo of that in this course. So resource governance is bound to Cloud governance.
It's the two basic kinds of governance, being resource and services, and we have other
things that are part of the framework as well, but these are probably the most important
aspects of Cloud governance you need to understand.

Resource governance being dealing with coarse grain, service governance dealing with
fine grain. Such as API's and web services, where resources are going to be storage,
compute systems, things like that. So this is a breakdown of the chart we saw in the
previous video. So Cloud governance technology, resource governance, and we have
active, automated, and passive. So there are two kinds of tools out there. One is a
passive tool which is basically able to do planning and implement things, but it's not
actively dealing with the underlying resources, which is a bit of a disadvantage since it's
for going to allocate resources, you don't want to enter that into places, you want that
recorded in the particular tool versus a design time tool, which is going to help you
somewhat but it's really not going to do anything actively managing and governing the
system.

Where active is automated. So in other words, I'm able to leverage resource governance
and I'm able to deal with the source and target systems through this automated
mechanism. So anything I deal with in the resource governance layer is able to carry
that on in the backend automatically. So we have operations-oriented. In other words,
I'm dealing with operating the Cloud. And we have development-oriented, both flavors
of resource management. So development-oriented would be dealing with servers to run
applications and servers to run dev-ops operations, things like that. Operations-oriented
would be just dealing with operational types of things, such as allocating servers for the
accounting department, for the end of your planning processes, things like that.

Things in the normal course of operations where development would be more net new
stuff, building things, ad hoc kinds of operations.

Service governance
FromLearning Cloud Computing: Cloud Governance

Okay, now that we talked about resource governance, let's go down another layer and talk
about service governance. So what's important about this is that this another layer down the
cloud governance chain. So we manage resources and resources can typically contain services.
So you may have S3 cloud storage, for instance on Amazon web services, it may have hundreds
of API's that they leverage to access the services, do something to the storage technology and
basically this is about managing those and managing those API's and managing those services.

So we're focused on API's or web services here and we've been dealing with web services and
governing web services for a long time back in the service oriented architecture days, we were
basically taking web services and orchestrating them into solutions and part of that in creating
an infrastructure, we had to create a management and governance layer on top of that. So
service governance is another key part of cloud governance because if we don't manage the
API's or the services that are being externalized and leveraged by the cloud users and the cloud
providers themselves then we're going to be unable to understand how to control access to
those various systems and bad things can happen.

For example, we can saturate a service and therefore make that service unavailable for other
people that are trying to access the service on a cloud. And so we have to basically put policies
around who's going to access the service, how long are they accessing the service, what can
they do with the service, can they saturate the service, if so, for how long? So all that stuff
really needs to be defined and it provides guard rails or protections around how we're going to
leverage web services or API's. So within the types of cloud governance solutions kind of
breaking that down again, we have the service which is pretty much always going to be
runtime automated even though you did have design time in the past they're not around much
anymore.

So this means that we're going to surround the services with policies that are going to be
enforced by a service governance layer and typically repository is going to be where those
policies are stored. And it's going to be either service oriented now that we're dealing directly
with the cloud services, it's going to be security oriented now that we're just dealing with the
cloud services in terms of how security is going to be managed, in other words time of day
who's accessing, saturating the services, failure rates, things like that that may indicate a
breach and then some design time based systems.

In other words how we're going to design these services and you know setup these service
hierarchies and if you have been involved in service design which is kind of out of the scope of
this course but you understand that we're dealing with hierarchies of services and the ability
to kind of break big ones and little ones so the ability to deal with API's that manage storage,
that manage putting information on queues, that manage getting customer credit information.
I mean everything and anything can be delivered as a service through an API and this is about
automating the protection of the services, ensuring that we don't make a mistake.

Compliance and governance

FromLearning Cloud Computing: Cloud Governance

- [Teacher] So we're all compliant out there, we monitor our driving around speed
limits, we monitor our transactions, we monitor the way in which we pay taxes and we
have to deal with legal organizations that may come after us if we don't do those things
properly. And that's really what compliance is all about. So, if we're govern what's in
the cloud, it's important that we're able to place policies around the governance of those
systems that allows us to limit access based on certain restrictions, either policy
restrictions that we build within the enterprise, in other words, our own restrictions that
we're trying to live up to or more often than not, it's going to be legal restrictions,
basically through outside forces.

And we may be audited and we may be found that we need to prove our compliance
especially if you're in the finance or healthcare verticals. So it's perhaps the most
important role that governance plays, it's basically the automation of legal restrictions.
And so the ability to kind of automate without second guessing everybody or having
some human run around and trying to make everybody compliant, which is very
difficult to do. We're able to automate the restrictions and the policies that are placed on
use of the resources that we have in the cloud and therefore we remain compliant
through this automation.
So compliance and governance in this breakdown here, we have abstraction, policies,
you know, basically legal issues, so in other words, policies enforce the law and we
have to keep process information around Sarbanes-Oxley. We have to keep legal
identity information, we have to use certain encryption keys that are validated for
HIPAA and healthcare. Abstraction of these systems basically removes us from the
complexity, so instead of having to deal with the legal issues and updating those things
all the time, somebody else is responsible for that, who can basically make it his or her
full-time job to monitor what's going on in the legal world and update these policies, so
it's going to enforce them on a particular cloud and then through this abstraction layer,
we're able to access these policies without really kind of understanding them, really.

I mean, we should have a basic understanding of what they are because the industry
you're in, but there's no reason why we need to understand what encryption levels we
need to do or whether or not information can be transferred across state lines in certain
instances around privacy regulations. And so it takes the burden out of our hands and
puts it in the hands of the governance compliance system. Identities need to be
understood, you need to understand how processes are involved in services and
resources are kind of down to those things. So again, we can't enforce policies without
having understanding the identities of the devices and the people and the systems that
we're interacting with and making sure that they're not able to do something that's going
to violate some law or some policy that's going to get us in trouble.

And we do that by putting the guard rails up, in this case the guard rails of compliance
and governance.

Compliance and governance

FromLearning Cloud Computing: Cloud Governance

[Instructor] Okay let's talk about policies. Policies are core to governance because
they're basically the way in which we automate governance. We define access to
resources, access to services, access to anything around policies that are basically placed
around those resources, around those services. So policies are a way that you define
your governance tools how they're going to work. In other words, it's programming your
governance tools. I may allow restrictions around time, maybe allow restrictions around
level of effort, or maybe allow restrictions around identity of the person who's trying to
access the resources.

I may define restrictions around utilization of resources or over utilization of resources.

So policies are like program code in that you need to version them and understand
interdependencies. So, when I think about policies and when I think about programming
there really is not much difference other than the act that they're usually procedural in
nature they're very simplistic in how you write them. But they are interdependent
because we do have some policies that are dependent on other policies that are
dependent on other policies and we need to understand those dependencies. And by the
way, policy should be considered as code, and versioned with the system, be a part of
the dev ops process, be a part of anything having to deal with development.
So within the governance tool we have the notion of policies. And we have policies that
can wrap around resources, services, APIs, we discussed that. Security we discussed
that, and applications, and they may be built directly into the applications in terms of
APIs that are being called out to the governance tool to define restrictions around who,
what, when, where can access a particular application and for what reason. In many
instances there may be policies in terms of who can access what portion of the
application and by the way what piece of data that they can see.

Which is the next topic. In other words information and policies around utilization of
data, who can write the data, who can read the data, whether the data is going to be
encrypted or not, all these sort of things are really defined within policies, which are
going to be the way in which we define the behavior of our governance tool. Here's a
very simple policy example. If access to Service_20, we're going to check the time.
Time greater than eleven PM and less than midnight, we won't allow access. That
person needs to be in bed. And we're going to end that, and end that.

And so this would be a very simple one two three four five six line policy that would
disallow access to particular service, Service_20, if a time of day is in a certain set of
perimeters, and of course most policies are going to be much more complex than this,
but this is not an unusual example of how we're going to leverage policies within a
governance tool.

Introduction to policies
FromLearning Cloud Computing: Cloud
Governance
[Instructor] Okay let's talk about policies. Policies are core to governance because they're
basically the way in which we automate governance. We define access to resources, access to
services, access to anything around policies that are basically placed around those resources,
around those services. So policies are a way that you define your governance tools how they're
going to work. In other words, it's programming your governance tools. I may allow restrictions
around time, maybe allow restrictions around level of effort, or maybe allow restrictions
around identity of the person who's trying to access the resources.

I may define restrictions around utilization of resources or over utilization of resources. So

policies are like program code in that you need to version them and understand
interdependencies. So, when I think about policies and when I think about programming there
really is not much difference other than the act that they're usually procedural in nature
they're very simplistic in how you write them. But they are interdependent because we do
have some policies that are dependent on other policies that are dependent on other policies
and we need to understand those dependencies. And by the way, policy should be considered
as code, and versioned with the system, be a part of the dev ops process, be a part of anything
having to deal with development.

So within the governance tool we have the notion of policies. And we have policies that can
wrap around resources, services, APIs, we discussed that. Security we discussed that, and
applications, and they may be built directly into the applications in terms of APIs that are being
called out to the governance tool to define restrictions around who, what, when, where can
access a particular application and for what reason. In many instances there may be policies in
terms of who can access what portion of the application and by the way what piece of data
that they can see.

Which is the next topic. In other words information and policies around utilization of data, who
can write the data, who can read the data, whether the data is going to be encrypted or not,
all these sort of things are really defined within policies, which are going to be the way in
which we define the behavior of our governance tool. Here's a very simple policy example. If
access to Service_20, we're going to check the time. Time greater than eleven PM and less
than midnight, we won't allow access. That person needs to be in bed. And we're going to end
that, and end that.

And so this would be a very simple one two three four five six line policy that would disallow
access to particular service, Service_20, if a time of day is in a certain set of perimeters, and of
course most policies are going to be much more complex than this, but this is not an unusual
example of how we're going to leverage policies within a governance tool.