Cloud Governance - Nottingham Trent University

COMP30231-4 – Cloud governance Zoheir Ezziane COMP30231 – Service Centric and Cloud Computing So far – IS strategy and meeting business needs – the role that cloud computing can play – Implementing cloud services, the role of Enterprise Architecture and how patterns of business demand can create need for cloud services. Today – Governance in cloud services implementation and management – Real-life example: governance in MS Azure 05/14/2025 2 Implementation lifecycle Today Governance Initial Determine target Gap analysis and EA & cloud Implementation planning architecture transition planning Two weeks ago Last week 05/14/2025 3 Video Time: Mr Chairman 05/14/2025 4 What is governance? Determines how decisions are made and by whom Determines who in the business is responsible for key activities and decisions and how they are made Determine who authorises expenditure and how Determines who are the final decision makers Specifies accountability and policies for controlling change 05/14/2025 5 APM Definition Governance is the framework of authority and accountability that defines and controls the outputs, outcomes and benefits from projects, programs and portfolios. The mechanism whereby the investing organization exerts financial and technical control over the deployment of the work and the realization of value. APM Body of Knowledge 7th Edition, What is governance? | APM APM – Association for Project Management 05/14/2025 6 05/14/2025 7 Components of governance Principles and policies Metrics and Organization tools Processes Financials 05/14/2025 8 Governance – 1. Principles and policies Business “rules”: Decision-making hierarchy Why: Expectations; guidelines; safety; decreased number of errors 3 types of business rules: Coordination rules; Qualification and disqualification rules; Decision rules (evaluate and assign next step) 05/14/2025 9 Governance – 2. Organisation Executive ownership Leadership and key roles Levels of accountability – E.g., steering committee? programme board? Etc. How key roles and key groups interact The role of the Enterprise Architect? What each role/group is responsible for (i.e., what they do) 05/14/2025 10 Governance – 2. Organisation - RACI Matrix 05/14/2025 11 Governance – 2. Organisation - RACI Matrix Golden rule is that only one person/role can be accountable 05/14/2025 12 Governance – 3. Financials The funding model can help to achieve financial stability and sustainability Specification of funding models: (1) Type (e.g., government or private); (2) the funding decision maker (e.g., government administrators or wealthy individuals); and (3) the funder's motivation (e.g., altruism or self-interest). 05/14/2025 13 Governance – 4. Processes Specific processes which must be followed CMMI can Management processes provide – Risk management many of – Vendor contract management these – Performance management components Standards Compliance Capability Maturity Model Integration Communications https://cmmiinstitute.com/ – How, when, to whom, what should be communicated What is CMMI for Acquisition (CMMI- ACQ)? | CMMI Consultants (cmmi-co nsultants.com) 05/14/2025 14 Governance – 5. Metrics and tools Align metrics to desired business & CMMI can technology goals provide Service Level Agreements for vendors and many of these cloud services components QA / Testing Security Capability Maturity Model Integration Predictive metrics (measure the causal factors leading to performance before the fact) vs reactive ones (What could be measured based on historical data after the fact) 05/14/2025 15 Why governance? Governance failure may result in users turning away from the system and using workarounds There is evidence that some IT leaders think cloud computing replaces the need for governance – not so! Migrating from in-house developed systems or heavily customised systems to cloud-based services is hard – governance is more difficult and even more necessary Cloud service providers often offer only highly standardised governance models which may present too many risks to an organisation 05/14/2025 16 Video Time: Hidden Cloud https://www.youtube.com/watch?v=UUEru7mB-dM 05/14/2025 17 2. Governance in MS Azure Azure Governance in a nutshell Governance provides mechanisms and processes to maintain control over your applications and resources in Azure Designed to help plan initiatives and set strategic priorities Primarily implemented with two services – Azure Policy Allows you to create, assign, and manage policy definitions to enforce rules for your resources Keeps resources in compliance with your corporate standards – Azure Cost Management Allows you to track cloud usage and expenditures for your Azure resources and other cloud providers 05/14/2025 19 Example of Azure Policy and Cost Management Web UIs 05/14/2025 20 Azure services are designed to work together 05/14/2025 21 Identity, governance, privacy, and compliance © Copyright Microsoft Corporation. All rights reserved. Outline You will learn the following concepts:  Azure identity services  Azure governance features  Azure privacy and compliance © Copyright Microsoft Corporation. All rights reserved. Core Azure identity services © Copyright Microsoft Corporation. All rights reserved. Compare Authentication and Authorization Authentication Authorization  Identifies the person or service  Determines an authenticated seeking access to a resource. person’s or service’s level of  Requests legitimate access access. credentials.  Defines which data they can  Basis for creating secure identity access, and what they can do and access control principles. with it. © Copyright Microsoft Corporation. All rights reserved. Azure Multi-Factor Authentication Provides additional security for your identities by requiring two or more elements for full authentication. Something you know  Something you possess  Something you are © Copyright Microsoft Corporation. All rights reserved. Azure Active Directory (AAD) Azure Active Directory (AAD) is Microsoft Azure’s cloud-based identity and access management service. Authentication (employees sign-in to access resources). Single sign-on (SSO). Application management. Business to Business (B2B). Business to Customer (B2C) identity services. Device management. © Copyright Microsoft Corporation. All rights reserved. Conditional Access Conditional Access is used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. User or Group Membership IP Location Device Application Risk Detection © Copyright Microsoft Corporation. All rights reserved. Azure Governance Methodologies © Copyright Microsoft Corporation. All rights reserved. Azure Governance Methodologies - Objective Domain Describe the functionality and the usage of: Role-Based Access Control (RBAC) Resource locks Tags: consists of a name and a value pair. E.g,, apply the name “Department” and the value “Finance” to resources. Azure Policy Azure Blueprints Cloud Adoption Framework for Azure © Copyright Microsoft Corporation. All rights reserved. Explore Role-based access control (RBAC) Fine-grained access management. Azure Active Directory Segregate duties within the team and grant only the amount of access to users that they need to Azure subscription perform their jobs. Enables access to the Azure portal User Apps User groups Resource group and controlling access to resources. Resource group © Copyright Microsoft Corporation. All rights reserved. Resource locks Protect your Azure resources from accidental deletion or modification. Manage locks at subscription, resource group, or individual resource levels within Azure Portal. Lock Types Read Update Delete CanNotDelete Yes Yes No ReadOnly Yes No No © Copyright Microsoft Corporation. All rights reserved. Tags Provides metadata for your Azure resources. Logically organizes resources into a taxonomy. OR Consists of a name-value pair. Very useful for rolling up billing information. owner: joe department: marketing cost-center: marketing environment: production © Copyright Microsoft Corporation. All rights reserved. Azure Policy Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Provides governance and resource consistency with regulatory compliance, security, cost, and management. Evaluates and identifies Azure resources that do not comply with your policies. Provides built-in policy and initiative definitions, under categories such as Storage, Networking, Compute, Security Center, and Monitoring. © Copyright Microsoft Corporation. All rights reserved. Azure Blueprints Azure Blueprints: Rapidly build and start up new environments with a set of built-in components (such as networking) to speed up development and delivery. Role Assignments Policy Assignments Azure Resource Manager Templates Resource Groups © Copyright Microsoft Corporation. All rights reserved. Cloud Adoption Framework (CAF) Cost-reduction, innovation, governance, a new way of managing technology. Best practices from Microsoft employees, partners, and customers. Tools, guidance, and narratives for strategies and outcomes. © Copyright Microsoft Corporation. All rights reserved. Privacy, compliance, and data protection standards © Copyright Microsoft Corporation. All rights reserved. Security, Privacy, and Compliance Security: MS helps to protect against known and unknown cyberthreats, using automation and artificial intelligence. Privacy: Ensure the privacy of organizations Compliance: Respect local laws and regulations. © Copyright Microsoft Corporation. All rights reserved. Compliance Terms and Requirements Microsoft provides set of compliance offerings (including certifications and attestations) of any CSP. Some compliance offerings include. CJIS HIPAA Health Insurance Portability and Criminal Justice Information Services Accountability Act CSA STAR Certification ISO/IEC 27018 NIST EU Model Clauses National Institute of Standards and Technology © Copyright Microsoft Corporation. All rights reserved. Microsoft privacy statement The Microsoft privacy statement provides openness and honesty about how Microsoft handles the user data collected from its products and services. The Microsoft privacy statement explains: What data Microsoft processes. How Microsoft processes it. What purposes the data is used for. © Copyright Microsoft Corporation. All rights reserved. Online Services Terms and Data Protection Addendum Online Services Terms: The licensing terms define the terms and conditions for the products and Online Services you purchase through Microsoft Volume Licensing programs. Data Protection Addendum: The DPA sets forth the obligations, with respect to the processing and security of Customer Data and Personal Data, in connection with the Online Services. © Copyright Microsoft Corporation. All rights reserved. Trust Center Learn about security, privacy, compliance, policies, features, and practices across Microsoft’s cloud products. The Trust Center website provides: In-depth, expert information. Curated lists of recommended resources, arranged by topic. Role-specific information for business managers, administrators, engineers, risk assessors, privacy officers, and legal teams. © Copyright Microsoft Corporation. All rights reserved. Azure Compliance Documentation Microsoft offers a comprehensive set of compliance offerings to help your organization comply with national, regional, and industry-specific requirements that govern the collection and use of data. Global US Industry Regional Government © Copyright Microsoft Corporation. All rights reserved. Azure Sovereign Regions (US Government services) Meets the security and compliance needs of US federal agencies, state and local governments, and their solution providers. Azure Government: Separate instance of Azure. Physically isolated from non-US government deployments. Accessible only to screened, authorized personnel. Examples of compliant standards : FedRAMP, NIST 800.171 (DIB), ITAR, IRS 1075, DoD L2, L4 & L5, and CJIS. © Copyright Microsoft Corporation. All rights reserved. Azure Sovereign Regions (Azure China) Microsoft is China’s first foreign public cloud service provider, in compliance with government regulations. Azure China features: Physically separated instance of Azure cloud services operated by 21Vianet All data stays within China to ensure compliance © Copyright Microsoft Corporation. All rights reserved. Summary and Seminar Topic Summary Effective governance is key to all aspects of the provision of cloud services – before, during and after implementation Good governance covers topics related to finance and organisation Azure implements its own services to help you with your company’s cloud governance 05/14/2025 47 Seminar topic Consider the BBC The BBC is very large organisation They have many large projects These are often IT projects They make mistakes One such failed project is the Digital Media Initiative This seminar is about understanding the failures of the DMI You are a member of the BBC board, having just received the report from the National Audit Office – you want to try and understand the failures in governance 05/14/2025 48 Seminar topic Read National Audit Office Memorandum on BBC Digital Media Initiative (Executive Summary), January 2014 in NOW The Digital Media Initiative was cancelled in July 2013 after incurring costs of nearly £130 million Using the five components of governance outlined earlier, identify actions and steps (related to governance) the BBC should have taken to reduce risks or avoid issues related to the implementation of its Digital Media Initiative 05/14/2025 49

Cloud Governance - Nottingham Trent University

Document Details

Tags

Related

Summary

Full Transcript