Banner Image: team collaborating at whiteboard

5 Secrets to a Good Cloud Governance Discovery Session

As a technical delivery manager, I work with both new and established customers to plan and implement cloud governance that works for the organization today and scales along with cloud presence. I’ve seen firsthand what makes for a smooth onboarding process. I've also seen the snags that arise when customers cut corners or prioritize short-term ease over long-term usability and growth. In my experience, the most successful Cloud Project Management Offices (PMOs) or Centers of Excellence are built around specific processes and procedures that are implemented at infancy and continue to evolve and be successful throughout the cloud journey. Read on to learn how to make your governance discovery sessions the most effective they can be!

Get participation from the right people

Before you begin an effective discovery session, ensure you have a thorough understanding of the organization. To gain enough information to build out cloud infrastructure, you’ll need to discuss priorities with the people responsible for managing finances, the team in charge of security, and executive leadership.

Executive leadership teams can be particularly hard to pin down, but the big-picture insight they provide is worth the trouble. Perspectives from executives are critical to determining:

  • How to model the organizational hierarchy of your cloud accounts
  • How the Cloud PMO budgeting model is set
  • What goals the various teams must achieve in their cloud use

After collecting information from all stakeholders, you can hold additional sessions for focused topics and bring parties with conflicting priorities together for consensus.

Determine your "non-negotiables"

After gaining a big-picture understanding of the organization from the perspective of the executive team, consult the security team to determine the organization’s mandatory boundaries.

Starting with these baseline boundaries (what we call ‘cloud rules’ in cloudtamer.io) and security policies that must exist in the infrastructure will make your job easier in the long run. Whether you must restrict instance types, specific services or, most commonly, specific regions from being used in the organization, it’s best to begin with the non-negotiables before tackling the capability “wish list”.

Gain an understanding of how money flows through the organization

The finance team may not be very interested in how the cloud infrastructure is built, but they'll want input into how spend is reflected in a governance solution since they will likely be using the solution very often to gain visibility and set boundaries. The finance team’s insight will provide clarity on what capabilities they need to effectively manage the company’s money, and those capabilities will guide the framing of the cloud infrastructure.

During your governance discovery session, you’ll want to get insight on the following to build a functional cloud presence:

  • Who controls the budget at what level of the organization
  • What cost enforcements to apply throughout the structure
  • Where delegated approval of financial overruns and cost allocations can take place

Don’t forget compliance regimes

Beyond internal security requirements, don’t forget to address the compliance regimes that must be adhered to. Thinking through the levels or points in the organization that are bound to specific regulatory requirements like HIPAA, FedRAMP, PCI, or others will help you determine where to focus the team's efforts on the hardening of the environment out of the gate. With this, it's important to also understand what the exception process looks like in the organization.

Cloud service providers (CSPs) provide guidance on services in scope under specific regulations and guidelines, but it is up to the organization itself to determine how this guidance fits with their own specific needs and requirements. For example, an internal security approval process may allow a new service to be used before the CSP "certifies" its credibility under a specific regime. What does that process look like for this organization?

Understand the roles that will play into your cloud governance model

Understanding roles is key for several reasons. Most importantly, roles help ensure your ability to scale the governance model across the organization as it grows. By defining roles within the organization and how they relate to permissions in your cloud accounts, you can ensure that the model will scale effectively and that with each new project, the team doesn't have to "reinvent the wheel".

With each new project, a checklist of roles should be applied to understand who needs access to what and how to grant that access quickly and effectively in a well-documented manner.

Your ultimate goal: integration and automation

Integration and automation form the pinnacle of cloud governance at scale. Your cloud governance solution should provide a high level of integration and automation (like cloudtamer.io does!) and serve as the entry point to your new cloud environment from account inception. Working from inception, understanding the baseline of what each and every account in your organization needs in order to follow your “non-negotiables” is critical to cloud governance success.

Want to ensure traffic is routed through a specific internet gateway? Use a CloudFormation template (CFT) and a CI/CD Pipeline (like Jenkins) to remove the default VPC and deploy your company's baseline networking infrastructure in every account. You could do this either natively through CFT or by calling a webhook to a CI/CD pipeline, for example. Want to ensure that every host has a security group configured so that your Tenable environment can scan the resources? Integrate and automate.

Throughout the governance discovery phase, thinking through the integration points and automation features will ensure the team knows how to take the governance model and tools to the next level.


Randy Shore is a technical delivery manager at cloudtamer.io.