virtual datapoints
Article Cloud Governance June 13, 2017

Enterprise Cloud Governance: The Case for Consolidated Cost and Security Management

The public cloud is revolutionizing the IT landscape. Enterprises are migrating their applications, lured by the prospect of ultra-fast provisioning times, a modern infrastructure platform and new agile approaches to delivering IT. Above all, they’re attracted to the on-demand model of computing and the potential cost efficiencies they can achieve.

Yet, once they’ve finally moved their workloads, enterprises are often slow to adjust to the pay-as-you-go nature of the cloud and neglect to monitor their costs—which can easily end up spiraling out of control.

Then there is the issue of security.

In many respects, the cloud is more secure than traditional data centers. This is because cloud providers have far more security resources and expertise than enterprises typically have at their disposal. And that means they’re able to provide you with a more secure environment for hosting your IT workloads.

But that’s not to say you can neglect your cloud security obligations. In fact, far from it.

While IaaS provides you with the basic building blocks for securing your applications, under each vendor’s shared responsibility model, you are responsible for everything that comes under your direct control, such as guest operating system, encryption, and user authentication.

This presents new and different security challenges, requiring special attention to your environment configuration. Plus, the distinct standards of each cloud provider’s responsibility model varies, requiring proactive planning to understand unique SLAs.

In this post, we discuss issues enterprises face when optimizing costs and securing infrastructure in the cloud, how third-party tools can help address these problems, and ultimately why consolidated cloud management solutions are invaluable to organizations looking to make the most of their cloud investment.

Cloud Cost Optimization

By contrast with on-premise infrastructure, which is financed by fixed upfront investments, cloud consumption is an everyday operational expense. This requires a huge shift in your approach to operational management, where optimizing cost is as important as optimizing performance.

First, you’ll need to get the foundations right—by architecting your applications to make efficient use of your cloud infrastructure. You should also bear in mind that the additional resources required for fault-tolerance come at a cost. So you’ll need a backup system that takes advantage of the most economical storage options, while also meeting your failover and data recovery objectives.

But that’s only the start.

You pay for your cloud infrastructure whether you use it or not. So removing unused and underutilized resources and preventing cloud sprawl will be central to your optimization strategy. Likewise, you should avoid unnecessary waste by sizing instances so they deliver a good balance between performance and cost.

In a complex enterprise cloud environment, you need to take an active approach to keeping costs in check across a diverse array of compute, storage, and other infrastructure services. Understanding how resources are allocated for each cloud provider, and optimizing them, can easily become a massive undertaking.  

How Cost Optimization Tools Can Help

Cloud monitoring and cost management tools help decision makers, such as CIOs, CFOs and MSPs, to reduce waste and optimize spend by providing actionable insights on wasted resources.

In addition to familiar issues, such as unused or underutilized instances, they can also help an organization make more efficient use of existing resources. For example, by providing recommendations on:

  • Reserved capacity purchases: Using historical usage trends to identify workloads that can leverage alternatives to on-demand pricing, such as AWS Reserved Instances and Spot Instances.
  • Rebalancing of resources: Offering suggestions on more cost-effective ways to deploy your workloads—from making better use of existing Reserved Instances to replacing general-purpose instances with alternatives designed for specific use cases.
  • Best practices: Including right-sizing instances, deleting unattached persistent volumes and old volume snapshots, tagging resources and rotating logs to lower-cost storage options.

These tools can also help operations teams spot other cost-related issues, ranging from misconfigured infrastructure and slow running SQL queries to poorly architected applications.

And, finally, more sophisticated products can also map the itemized charges in your monthly cloud bills to your own accounting system. This can help you allocate your cloud costs more accurately across the enterprise—thereby making users more accountable for their cloud consumption and encouraging them to use resources more efficiently.

Cloud Security and Compliance

The cloud is very different from traditional computing infrastructure, requiring a new and different approach to cybersecurity.

On-premise security systems are designed to protect static physical environments and focus primarily on preventing outsiders from penetrating the corporate network perimeter.

However, the cloud is dynamic virtual infrastructure, where applications are architected differently, IP addresses frequently change and users are continually spinning up, scaling and closing down resources. What’s more, the cloud is a shared environment, making it unsuitable for resource-intensive scanning methods, which can have a negative impact on other customers.

Unlike traditional IT, you can also quickly provision cloud resources in just a few clicks. So without security procedures in place, such as strict enforcement of infrastructure templates, users can easily provision environments with insecure settings and expose your cloud network to attack. Similarly, with enterprise IT teams jumping on the agility and DevOps bandwagon to push for ever more rapid development, cloud infrastructure becomes even more vulnerable to misconfiguration.

This dynamic aspect of the cloud demands a shift in emphasis away from traditional cybersecurity methods towards protecting individual workloads and configuration management.

Difference Between Traditional and Cloud-Based Security Methods
Focus of traditional security Focus of cloud-based security
Intrusion prevention at outer perimeter Intrusion prevention on individual workloads
Physical network devices on endpoints Cloud vendor APIs
Packet sniffing Configuration options
How Cloud Security Tools Can Help

Cloud-based security tools offer a number of important features that are designed to help you maintain governance over complex dynamic infrastructure. These include:

  • Monitoring and reporting: It is important that you oversee and track both the state of your cloud environment and user activity within your cloud, such as when someone adds or amends a user profile, spins up new instances, or makes changes to existing resources.
  • Comprehensive inventory mapping: In a rapidly changing environment, it’s essential you have full visibility into all your resources; knowing what is running at any one time is critical to being able to protect your environment.
  • Activity alerts: Being aware of critical changes to configurations, resources, and security groups is key. For example, whenever a user makes changes to user access privileges or changes the range of IP addresses allowed to access to a resource.
  • Traditional security control: Although the cloud is a different kind of IT environment from on-premise infrastructure, security threats are still fundamentally the same. Therefore, cloud-based tools will incorporate traditional security measures like identity management, firewalls, and incident detection and mitigation—in addition to cloud-based tactics.
  • Best practice checks: The leading cloud providers offer a huge variety of configuration options for managing your security. While this offers customers the flexibility to tailor their settings to their exact needs, more options also mean broader scope for security loopholes. Best practice checks help users stay on top of this complexity and maintain compliance by flagging up events and configurations such as user access outside of normal business hours, failed or unauthorized login attempts and API access from unidentified IP addresses.

Additionally, you can’t discuss security in the cloud without mentioning compliance: shifting applications to the cloud inherently adds a new layer of complexity to ensuring compliance. This can create hurdles or even roadblocks for driving innovation in organizations in regulated industries like government, education, and healthcare. Luckily, some tools (like Allgress Regulatory Mapping Tool) help organization ensure compliance mandates are met. When selecting cloud management tools, it can be useful to consider which solutions offer support for specific industry-mandated compliance standards like NIST, HIPAA, PCI, and more.

Consolidated Cloud Cost Optimization and Security Tools

As your cloud environment grows, the task of optimizing and securing your infrastructure becomes increasingly more complex. Third-party cloud cost and security solutions are designed to tackle these challenges by offering robust features and solutions—above and beyond those already built-in by leading cloud providers—to help organizations get the most from their cloud investment.

But here’s where many organizations begin to experience pitfalls: adopting disparate tools and point solutions can actually amplify, rather than simplify, the very problems they were meant to solve. With different interfaces, controls, and data sources across infrastructure, you could easily wind up with a true cloud management nightmare.

Therefore, it makes more sense to combine cost optimization, security, and compliance management into a centralized solution, where everything is available under one roof and you only have one set of tools to worry about.

However, an even more important reason for consolidated tools is the fact that security is also a cost-optimization issue.

Denial-of-service (DoS) and brute force attacks could send your cloud consumption through the roof—by triggering mass auto scaling of services to handle the sudden surge in workload. Similarly, some types of coding exploits, such as SQL injection and cross-site scripting (XSS), may be designed to deliberately ramp up the load on your servers. And, if an attacker gets hold of your access keys, they could potentially launch hundreds of instances—with huge repercussions for your cloud costs.

In other words, a sudden increase in cloud costs could be the first sign of a cyberattack. So, by locking down cloud costs and security in one place, you’re better equipped to deal with many of the common types of security threat.

What to Look For in a Consolidated Solution

The new cloud landscape of self-provisioning and pay-as-you-go computing is breaking down traditional IT silos. As a result, the burden of responsibility for cost management and security is rapidly converging. And this increasingly requires a more consolidated approach to cost optimization and security control.

So what should you look for in a consolidated solution?

First, you should be wary of shortcomings or weaknesses in either discipline; a balanced offering of both cost and security features is key. It should also offer automation options to help you perform the complex array of optimization and configuration processes.

Some of the more sophisticated cloud management solutions should also support a multi-cloud strategy. Accommodating more than just one vendor and providing an overview of all your deployments from a single pane of glass will set your organization up for success now, and as you scale.

Explore the comprehensive CloudCheckr platform to learn how we support cost and expense management, as well as security and compliance.

Related Resources