Tech Sessions Podcast - Ep. 1: Cloud Governance Masterclass

Cloud Tech Sessions Podcast - Ep. 1: Cloud Governance Masterclass


In the first episode of the Tech Sessions Podcast, e360 VP of Cloud Services Kevin Kohn and Senior Director of Cloud Architecture Jeff Dickman discuss the critical role of cloud governance in modern IT environments.

They explore how effective governance strategies can significantly influence cost management, security compliance, and operational efficiency. The discussion highlights the importance of balancing strict governance with the need for innovation and agility, addressing common pitfalls, and the transformative impact of automation and AI in governance frameworks.

This episode is essential for IT leaders aiming to enhance their organizational cloud governance with a focus on achieving business objectives while managing risk.

Listen to the Episode:

Watch the Episode:

Key Topics Covered & Takeaways:

  1. Importance of Governance in Cloud Journeys

    • Key Takeaway: Governance is foundational to successful cloud adoption, particularly in managing costs and ensuring security compliance.
  2. Customer Experiences with Cloud Governance

    • Key Takeaway: There are diverse approaches to governance among companies, with some having robust data center-focused governance that doesn't fully translate to the cloud's dynamic environment.
  3. Governance for Cost Management and Savings

    • Key Takeaway: Effective cloud governance can help organizations manage and reduce their cloud expenditures significantly, often addressing a commonly faced issue of unexpected costs.
  4. Balancing Governance with Innovation and Agility

    • Key Takeaway: Organizations must strike a balance between strict governance to mitigate risks and maintaining agility to foster innovation.
  5. Implementing Effective Governance Strategies

    • Key Takeaway: Successful governance requires collaboration across IT security, business leaders, and development teams to create flexible, yet secure, operational frameworks.
  6. The Agile Approach to Governance and Its Benefits

    • Key Takeaway: Adopting an agile approach to governance allows organizations to adapt quickly to changes and align closely with business objectives.
  7. Leveraging Automation for Efficient Governance

    • Key Takeaway: Automation plays a crucial role in scaling governance efforts efficiently, reducing the reliance on manual processes which can become bottlenecks.
  8. Addressing Common Pitfalls in Cloud Governance

    • Key Takeaway: A common pitfall is the lack of centralized visibility and control, leading to inconsistent security and compliance standards across cloud services.
  9. The Role of AI and Automation in Enhancing Cloud Governance

    • Key Takeaway: AI and automation enhance cloud governance by enabling more efficient resource management, policy enforcement, and anomaly detection, contributing significantly to operational efficiency.


Read the Transcript:

Ep. 1 Cloud Technology Sessions podcast - Governance Masterclass

[00:00:00] Welcome and Introductions

[00:00:00] Welcome to the Cloud Technology Sessions podcast. My name is Kevin Kohn, Vice President of Cloud Services here at e360. And with me today, I have our Senior Director of Architecture, Jeff Dickman. Hi, Kevin. It's nice to be here

[00:00:51] The Importance of Governance in Cloud Journeys

[00:00:51] Kevin Kohn: And Jeff, we've talked a lot about Governance in the past , it's usually one of the first things we begin discussing with customers when they're doing cloud journeys , even when you're not going specifically to the cloud, we talk about the importance of governance. What's, just at a high level, what's your experience with cloud or just governance in general when you're talking to customers?

[00:01:17] Kevin Kohn: What's, can you give us your sense and your 30, 000 foot view?

[00:01:22] Exploring Customer Experiences with Cloud Governance

[00:01:22] Jeff Dickman: Yeah, so there's really two groups of customers and there's probably some in the middle too, but you have on one side you've got a lot of customers that they move to the cloud. Cloud was an organic extension of things that they were doing maybe for capacity or because it was cool and governance wasn't really applied.

[00:01:41] Jeff Dickman: And so they, they're now active in the cloud. Maybe they're doing a full migration up there, getting out of their data centers, whatever. And they're realizing that they don't have the processes and the capabilities that they need to, to really implement cloud, take advantage of the features, maintain a secure environment and understand where their costs are being spent within that.

[00:01:57] Jeff Dickman: So those are a lot of customers that we talk to. The other [00:02:00] group that I talk often with is customers that have moved to cloud and they're there and they say, Whoa, my bill is a million dollars more than I expected. And when you talk with them, often they have good governance, but it's all data center focused.

[00:02:12] Jeff Dickman: And so the governance doesn't really address the fact that in the cloud, a server or a resource can be provisioned on the fly. You may not know, you know, so then it suddenly shows up in the bill a month later, or a lot of resources show up in the bill and over time that snowballs to a lot of expenses that , the company is seeing that they wouldn't have generally expected to see.

[00:02:31] Jeff Dickman: So those are really the two main categories that I see. One that we do talk with quite a bit are customers that they're in cloud and they have fairly solid governance, but they're, they're looking to evolve it. It's not perfect from their standpoint, but they've got a lot of the great processes.

[00:02:45] Jeff Dickman: Like they've got a Cloud Center of Excellence or a cloud business office in place. They have project management, or portfolio management operating very well in their environment. And they have architecture review board taking place with change control and things like that. And so they're looking to evolve that and maybe do more automation within that and handle those pieces.

[00:03:01] Jeff Dickman: And so, I would say that's probably the three main use cases that, that I talked to as far as governance and, you know, what customers are doing with it.

[00:03:08] Kevin Kohn: Fascinating. You know, let's start with the first one. I'll pick on that a little bit more.

[00:03:12] Diving into FinOps and Cost Savings

[00:03:12] Kevin Kohn: And you're talking about governance as it relates to cost savings, right?

[00:03:17] Kevin Kohn: Research has shown, and this is a commonly accepted number in the industry, that 32 percent of your spend Is actually wasted and that waste comes from things like misaligned workloads or misallocated systems or machines or things running when they shouldn't. There's just a host of or maybe an improperly negotiated contract, etc.

[00:03:43] Kevin Kohn: So that falls into the general category that we term in the industry terms as FinOps and I know we're going to get a little bit deeper into that further down this this podcast today, but when we talk about [00:04:00] aligning our policies and cloud governance with business objectives. In order to make that efficient, effective, as well as productive for the company, how do you implement governance in your environment?

[00:04:17] Kevin Kohn: And you take into account the things that you described. How do I make sure I'm saving money and how do I make sure I'm, I'm effective in what I'm doing and I'm not implementing all this weight on the organization through these mandatory policies, et cetera. So how do you do that without stifling innovation?

[00:04:35] Balancing Governance with Innovation

[00:04:35] Kevin Kohn: I mean, I think back to the origination of cloud and cloud pretty much got to start with this concept of Shadow IT and Shadow IT is the, the idea that, well, our IT, departments weren't as flexible and agile to meet our needs in a timely way. So, here's this cloud company that provides me access to a server that I could put my workload on and all I have to do is swipe a credit card and I can get started right away as opposed to wait weeks or maybe even months to get that same service from my IT. So, so we look at that and we think, okay, these have now started to merge and, and we all agree that we need to put governance and bumpers around this. But how do you still maintain that flexibility, that agility while implementing appropriate governance that may, that is beneficial to the company and everybody agrees, lends to a more secure environment?

[00:05:31] Jeff Dickman: Yeah, that's a great question. And it's actually , it's a complex question, but the answers are, are fairly straightforward. Really what you're looking at is you're looking at a balance between too much security and too much compliance, which will cause sort of, you know, a stifling of the innovation within the environment.

[00:05:47] Jeff Dickman: So you're talking about rigid policies , that, that hinder agility within there. But when you hit the risk side of that , a lack of governance can increase your risks within the environment, also from a security and a compliance standpoint, as well as, you know, potentially operational [00:06:00] outages and things like that affecting it.

[00:06:01] Jeff Dickman: And so, as you're looking at implementing governance within the environment, one of the main things that you have to do is you have to collaborate. IT security, the business leaders, development teams, they all need to collaborate on what governance should look like within the organization and should be able to have that open discussion about, hey, this policy is too rigid and it's actually preventing us from getting our job done and have that heard in a lot of organizations.

[00:06:25] Jeff Dickman: When teams start saying, I can't do my job, it's, well, you need to figure out how to work around that then instead of let's fix the process. And so you want to make sure that you're collaborating to fix the processes there.

[00:06:34] Kevin Kohn: How many times have we heard that right in, in organizations where we're like, Hey, just need to get this thing out or get this thing deployed.

[00:06:40] Kevin Kohn: And you're like, no, then you have to comply. So yeah, I think we've all kind of been there, right. At some point.

[00:06:47] Jeff Dickman: Yeah. And it's really, it's about, you know, all the teams within IT, working with the business to change it from a culture of no to a culture of let's figure it out. And, that sort of pushes the innovation, but as part of that, inviting all the stakeholders to the table, right?

[00:07:00] Jeff Dickman: Even your customers, bring them to the table and ask them what's working, what's not working, where, where are the processes that we're building into our solutions actually impacting you negatively as well. And let's figure out how we fix that too, because some of that may drive improvements within your, your organization.

[00:07:14] Jeff Dickman: Your governance processes, you know, on the backend or your infrastructure, your security, things like that.

[00:07:19] Kevin Kohn: I want to focus on something you said a moment ago, too, when you said focusing on outcomes, right, you know, you get into conflict resolution and, we see that and I bring conflict resolution up because you just referred to all these silos and, competing interests within the company.

[00:07:34] Kevin Kohn: And sometimes that, that produces some kind of friction , between the organizations and then. Things get held up because of those silos. And one of the things that you discuss in conflict resolution books, et cetera, is let's get away from what I'm interested in, or what my personal things are, and let's think about outcomes, or what is best for the business, what is best for the organization.

[00:07:59] Kevin Kohn: [00:08:00] And I love that about what you said about focusing on outcomes. Can you, can you elaborate a little bit more on that, and how that might impact your cooperation that you might elicit from that? from the various silos involved in this decision making in the collaboration environment.

[00:08:13] Jeff Dickman: Yeah, absolutely. So I'm, I'm a big fan of focusing on outcome , because you, you really have two points where you sort of make decisions, you, you make decisions at the beginning, which would be rules, right?

[00:08:22] Jeff Dickman: These are the boundaries that we're putting in place, which can impede your outcome. But if you start with the outcome and you work backwards from the outcome, then you know what you want to achieve. Now, how do we make that happen and still maintain our compliance and our governance within the environment?

[00:08:35] Jeff Dickman: So at that point, what you're really looking at is framing your policies around business objectives. And so, you know, what's important to the business? Is it time to market? Is it cost optimization? Is it risk mitigation? What are the objectives that the business is defining? And then you tailor your risk profile around those for your cloud workload.

[00:08:51] Jeff Dickman: So, you might have some applications on the left that are highly critical applications, and you might have a stricter set of controls around those, and you may have less critical applications on the other side that you say, you know what, we don't need to put as tight of controls around these because they're less critical.

[00:09:06] Jeff Dickman: And so we're not going to restrict them from experimentation or innovation on that side of it. And then the most important piece of that is , measure. Measure and communicate the impact. So if you change a policy or you change a rule around how you're going to do something, what's the impact of that rule?

[00:09:21] Jeff Dickman: Are you actually going back and evaluating it to say, was this effective? Did it meet our expectations and did it, you know, improve the situation or did it make the situation worse? So taking more of an agile approach to how you're going to, to look at things and say, we're going to adjust regularly instead of setting a rule and then we'll review it next year.

[00:09:40] Jeff Dickman: Essentially.

[00:09:41] Kevin Kohn: Beautiful.

[00:09:42] The Agile Approach to Governance

[00:09:42] Kevin Kohn: So focusing on that agile approach. That's that's beautiful. And what are some of the challenges that you've seen that you've overcome by focusing on that agile approach.

[00:09:55] Jeff Dickman: So when you take an agile approach to things, you can head off issues fairly quickly. Again, you're looking at the [00:10:00] outcome.

[00:10:00] Jeff Dickman: And as you are taking that agile approach, you're sort of checking yourself regularly. Am I heading towards my outcome? Or am I drifting off the course that that we set for what we wanted to accomplish? And so as, as you're doing that, what you end up doing is getting to the end and to where you want to be better and faster than you would have had you said, okay, we're going to start with the rules and we've got this vague idea of where we want to go.

[00:10:22] Jeff Dickman: And then you end up being, you know, 180 degrees from where you intended to be at the end of it. And you have a product that doesn't meet your, your customer's requirements. And it maybe doesn't even meet your internal requirements as far as what you needed to accomplish.

[00:10:34] Kevin Kohn: I love that. And that goes along with the more commonly assumed agile methodology that we employ when we're performing, you know, service engagements for our customers, as opposed to waterfall.

[00:10:45] Kevin Kohn: The agility that comes from, Hey, let's look and take this big project, break it down into like two week chunks and go through that, that iterative process and make sure that we identify what we've achieved after two weeks and then move forward. That all plays into this governance as well.

[00:11:01] Kevin Kohn: And the benefits from it. So I, I appreciate you bringing that up.

[00:11:05] Leveraging Automation in Governance

[00:11:05] Kevin Kohn: How does automation and leveraging automation in governance help this scenario and, how does it make you more efficient?

[00:11:14] Jeff Dickman: So yeah, it's automation is absolutely critical for implementing governance because when you really look at things and it's a well known rule.

[00:11:22] Jeff Dickman: People don't scale. And so as your organization grows, as you're more successful with cloud, what you're going to find is that you don't want to have to keep adding headcount to, to manage your governance. And so if all your code reviews are manual, if all your infrastructure reviews are manual , you're going to hit a point where your people can't handle that anymore.

[00:11:38] Jeff Dickman: And so you then have to add more people and then your costs go up and nobody's happy. When that happens. And so implementing automation allows you to take the burden off your people so that they can focus on higher order tasks. And so you can you can do things like automated compliance. So , implementing specific tools around code quality or code security and then once the code is deployed, checking it. Right. You know, [00:12:00] it was secure. It was presumed secure when you wrote it and you scanned it, but then you deploy it. What happened when you deployed it. So you want to be doing compliance monitoring against your environment. And then when you get really good at that, you can start looking at remediation and picking tasks that are low risk and remediating those, those issues that come up with automation versus having somebody manually go in and then your team is then freed up.

[00:12:21] Jeff Dickman: And it's going to ensure adherence because then what you do is you look at a dashboard and you say, okay, how's my environment looking? Everything's looking really good. We've got this tool doing compliance monitoring 24 seven continuously, and our code is going in and we have less errors coming in through that.

[00:12:35] Jeff Dickman: And so you get a lot of benefits from that. And then when you start layering an infrastructure as code, standardizing on your templates and your automation that you're using. And so, you know, looking at AWS or Azure or Google , how are you provisioning a server? Is every developer writing the automation to provision that server themselves, or are you building a library or a service catalog that you would use to, to provision that?

[00:12:54] Jeff Dickman: So they just go there, they pick the template they need, and then they deploy it. And it's already a security vetted template, which can speed up your deployment process because then, they're not having to go back and say, Oh, you need to fix this. Oh, you need to fix that, because security has already vetted that template.

[00:13:07] Jeff Dickman: And so when they look at it, they're expecting to see what they see and they're not going to be surprised by it.

[00:13:12] Kevin Kohn: I love that you brought that up as far as service catalog, because that gives us a. We can go through the templates, have security bless them, have the company endorse them, say, all of this is compliant with our, with our requirements that we've set forward.

[00:13:28] Kevin Kohn: You then take that T-shirt size, whatever template that you're going to apply, you put it up so that people can open it. Then they consume it. And then you break down all the barriers of adoption. So that, that adoption now doesn't need to go through these approvals. It's already been through it. So when you're allocating resources in your environment, you should be able to, leverage that service catalog effectively and efficiently.

[00:13:50] Kevin Kohn: And I love how you brought that up.

[00:13:52] Jeff Dickman: Absolutely. Yeah. A service catalog is critical , within governing your environment. You want to make sure that you're either providing code snippets or, [00:14:00] or infrastructure snippets, depending on what your platform is, what you use, Terraform, Arm, CloudFormation. But you want to have those snippets that developers can take advantage of that are already pre-vetted.

[00:14:09] Jeff Dickman: As you get more advanced though, what you may look at is having pre deployment service catalog. And so, you work that into your pipeline with like ServiceNow or something like that. And so you, you say, I want a server. And then you just pick your server configuration and then it goes through an approval workflow and then at the end of that, your server is provisioned with best practice configurations.

[00:14:28] Jeff Dickman: It's already been code scanned and it's handed to you with zero human touch happening through that process. Just people looking at the dashboards and the outputs and saying, okay, this looks right and we're good with it.

[00:14:38] Jeff Dickman: Nice. Well , that's , the next step that we find is the service catalog is really effective.

[00:14:45] Jeff Dickman: And, solves a lot of problems that I think that we encounter in those environments.

[00:14:50] Kevin Kohn: The next question I just kind of wanted to breach on a little bit.

[00:14:54] Addressing Common Pitfalls in Cloud Governance

[00:14:54] Kevin Kohn: Can you share any examples of, you know, common pitfalls that, you know, customers might find themselves in when you talk about governance and how do you avoid those pitfalls?

[00:15:05] Jeff Dickman: Yeah, so, the biggest pitfall is is a lack of centralized visibility and control So In a lot of organizations, the teams are teams that are adopting cloud services are operating independently, and so you may have two teams. You know, one is one is going to Azure. The other is going to AWS , and they're they're not really communicating with each other.

[00:15:26] Jeff Dickman: And so there's no visibility as far as what they're doing. They're getting into the cloud. And, In many cases , security and compliance is coming in after the fact they're being brought in late to the game. And, and so they're then having to play catch up with the teams as far as what's happening there.

[00:15:40] Jeff Dickman: But then at the same time, because you have these workloads being put out there the way that they are. There's inconsistent configurations , the costs end up sprawling because maybe you don't have the right enterprise agreement or contracts with the cloud provider , and then developers are very focused on developing.

[00:15:55] Jeff Dickman: Like I said earlier, security comes in sort of at the tail end if they're brought in and security [00:16:00] vulnerabilities may already be in existence that are going to be harder to engineer out as a result of that. So there's a few things, Kevin, that you can do to sort of get control of that and get the visibility that you need.

[00:16:09] Jeff Dickman: The first is to set up a Cloud Center of Excellence or a Cloud Business Office. What this is, is it's a cross functional team. It's, it's it and the business, they come together. So, um, To do this, and they sort of provide that guidance, they take the standards that already exist, they extend them for cloud, and then they set those as cloud standards, and they define what the usage patterns are going to be for the entire organization.

[00:16:31] Jeff Dickman: Are we going to go AWS? Are we going to go Google? Are we going to go Azure? Are we going to do many clouds all at once? And so they they sort of put all of that together for the organization and say, this is how we cloud.

[00:16:42] Kevin Kohn: How is that received? If I might just double tap on that a little bit. How is that received when you introduce the concept of a Cloud Center of Excellence?

[00:16:51] Kevin Kohn: What's what's that reception? Is it warm? Is it cold? You have to do a lot of convincing. Do people see the value in that? How's your experience when you bring that up?

[00:17:00] Jeff Dickman: It's mixed, actually. In organizations that already have some processes and, you know, often they're operating under like ITIL or, or something like that, a Cloud Center of Excellence is a natural evolution.

[00:17:10] Jeff Dickman: And, and they, you know, you have the organizations that feel very comfortable with that. And they, they like the process. They like the fact that there's now some boundaries or guardrails in place that they're, they're able to work with them to get things done. Other organizations are maybe a little bit more wild west.

[00:17:24] Jeff Dickman: So when you start putting these controls in place, what you end up seeing is initially there's some resistance to them because they, they understand that governance means rules and, and that's sort of the perspective instead of governance means collaboration to get to the outcome. And so initially you have some resistance to those, but as you set up your Cloud Center of Excellence or your cloud business office, what you're really looking to do is to create those collaboration models.

[00:17:47] Jeff Dickman: With the organization, you have to win over the teams and say, you know, we're here to collaborate with you. We're not here to be the culture of, no, we're here to be the culture of let's get it done. And so, you know, when you start getting that, then they start to come on board. And in every case, [00:18:00] you know, with, with the right adjustments to address a culture specific issue, every organization that we've, we've ever worked with has, has implemented some level of governance successfully.

[00:18:09] Kevin Kohn: That's awesome. So it's, uh, dare I say it's almost a maturing of the organization, right?

[00:18:16] Jeff Dickman: It is. Yeah.

[00:18:17] Kevin Kohn: Yeah. So a lot of people come from this culture of, well, I know what I need to do to get it done and I'll do that. But then when you start thinking holistically about the entire organization, you realize that what you do impacts these other groups.

[00:18:31] Kevin Kohn: And now we have to think collaboratively. And that's, that's a maturing. Right. And so having that Cloud Center of Excellence allows you to have that more defined maturity and that defined mature stance that takes you to the next level as an organization. Awesome. So you did talk about centralized catalogs and templates, you know, service catalogs in the previous question, tagging and reporting.

[00:18:57] Kevin Kohn: Why are those things met? Why did those matter? When you're talking about governance?

[00:19:01] The Role of Tagging in Effective Governance

[00:19:01] Jeff Dickman: Tagging is one of my favorite topics. Knowing what you have in the environment is critical. You can spin up a server, you can put a great name on it but the name doesn't really represent the metadata that, that really involves what is that server and who, who does it belong to?

[00:19:14] Jeff Dickman: How do you support it? What do you, what do you do with it? What security controls are, need to be implemented for it. You know, all of that stuff really can be vetted out through tagging. And so you put tags on there, you know, sort of in, in categories of you have technical tags, which the operations team may care about.

[00:19:29] Jeff Dickman: You have security tags, which the security team is going to care about. You have business tags, which is, you know, more about like the financial aspect of this, who do I charge this resource to? And so when you put all of those together, along with some administrative tags, you're able to generate some reports that are As far as how your environment's being used and how things are put together.

[00:19:48] Jeff Dickman: And then beyond that, you can extend that into chargeback or show back. So what telling, telling the business, this particular application is costing this much to run in the environment and being able to target that entire application potentially [00:20:00] for optimization.

[00:20:00] Kevin Kohn: Now, dare I say back to what we talked about earlier from a FinOps perspective, tagging is probably the first line of

[00:20:10] Kevin Kohn: items that you need to tackle in order to get to an appropriate FinOps stance. It's one of those fundamental components that allows you to define the categories, define the utilization parameters that are being deployed in your organization, making sure that these resources that you're consuming are properly allocated to the right, which departments, et cetera.

[00:20:32] Kevin Kohn: So you can start monitoring that information. You want to elaborate any on that or.

[00:20:37] Jeff Dickman: Yeah. So tagging is really critical because when you get your bill from a cloud provider, it's going to be a 50, 000 foot view. It's really, this is how much you spent on compute, this is how much you spent on storage and all the other services that they offer.

[00:20:49] Jeff Dickman: Here's how much you spent, but you can't really slice and dice that into, you know, even really how much of that was my development environment versus how much of that was production?

[00:20:58] Kevin Kohn: And just for our listeners, I mean, when you see this bill that comes in, it's not three lines. It's not five lines. It's not 10 lines.

[00:21:08] Kevin Kohn: Describe this bill.

[00:21:10] Jeff Dickman: So the bill will be, you know, there, there's two bills typically with the cloud. There's, there's the, the PDF version, which is sort of a summary of what you've used and it'll typically have region and then the, the service or resource that you consumed and, and what the charge was for that.

[00:21:24] Jeff Dickman: And it may be hours. It may just be a blanket cost that goes against that resource, but you'll see that. And so depending on what your deployment looks like, you could have, you know, A lot of pages to be looking at to try and figure out exactly what's going on there. But then that doesn't let you drill down, right?

[00:21:37] Jeff Dickman: And so then there's the more detailed report, which is usually an Excel spreadsheet that will be... I've seen them as high as several million lines of resources that have been used. And how do you, how do you address that? Like, how do you look at that? Do you, do you, Do you have names that you then have to concatenate or something like that to, to figure out exactly where that resource came from.

[00:21:54] Jeff Dickman: But that's, that's where tagging becomes really important because you can bring those tags into your bill [00:22:00] and then you're able to use other dimensions to sort of categorize and figure out where, where is your money going and where are your opportunities for improvement from a spending standpoint. Okay.

[00:22:08] Jeff Dickman: Great.

[00:22:11] Exploring FinOps Tools and Cloud Budgeting

[00:22:11] Jeff Dickman: I would add, though, Kevin, that within that, one of the things that you really want to look at as a tool in all cases, the clouds have some really great budgeting and reporting tools built into them. But there are a lot of FinOps tools out there that allow you to get a different angle and a different perspective on that.

[00:22:27] Jeff Dickman: And then also directly take from that tool into your own functional dashboards or, you know, presentations that you may have to give to upper management and present out the information that they need to see to make their informed decisions on what to do with the environment.

[00:22:40] Kevin Kohn: Perfect. Thank you.

[00:22:41] Understanding Cloud Billing and Operational Consumption

[00:22:41] Kevin Kohn: And one of the things I would just add to your comment about the size of the bill, it's not that you're necessarily consuming or these are large organizations per se, but now you're operationally consuming resources that you would normally have just allocated to a capital expense in a previous world.

[00:22:57] Kevin Kohn: And so you're turning these services on and off. And every time you do that, it instantiates a line on the bill, right? So you can be using the same service over and over and over again. And those are just additional lines on the bill. And that's why these things can grow so long.

[00:23:11] Jeff Dickman: So absolutely. Yeah.

[00:23:14] Kevin Kohn: Perfect.

[00:23:14] The Role of Automation and AI in Cloud Governance

[00:23:14] Kevin Kohn: You know, just to kind of finish up, I think with our last question that we wanted to roll into is, could you discuss the role of automation and AI in enhancing your cloud governance frameworks and operational efficiency?

[00:23:28] Jeff Dickman: Yeah, those are two really big questions and we're getting those a lot with our customers right now.

[00:23:34] Jeff Dickman: The first is automation, which has been, been around for a while, as far as how you do governance with it and automation within all the big clouds allows you to do policy enforcement. And so you can then automate the policy enforcement. So should that instance be up or should it be down?

[00:23:48] Jeff Dickman: Should that object storage be available? Does it have public access name on it? Oh, no, it does. Let's remove that. You can handle all of that with policy enforcement.

[00:23:57] Jeff Dickman: The second piece of that is resource management and [00:24:00] optimization. So, within this, you really have kind of two pieces of automation that you're able to do there.

[00:24:04] Jeff Dickman: You're able to do automation to intelligently right size cloud resources based on real time usage. And so, this allows you to avoid over provisioning. But then you can also do scheduling. So within that, you can say my development environment isn't needed from, let's say, 6 pm monday through, you know, 6 am tuesday morning. And so you've got a 12 hour window where nobody's touching your development environment, but those servers have always been up, or those resources have been provisioned. Let's tear them down, or let's stop the EC2 instances to reduce costs. And so you can start to schedule things within that and save yourself some money.

[00:24:37] Jeff Dickman: This is the low hanging fruit that FinOps can really address with automation. And then, there is one more as far as, you know, we've talked about this already, but the service catalog, which is really important is automating infrastructure deployment based on pre approved templates. And so making sure that you've got these templates that are already configured appropriately for your environment that then your developers can deploy and you don't have any, you know, potential mistakes of switches flipped or configurations applied that are going to run up your bill.

[00:25:03] Jeff Dickman: Like potentially they added GPU to a server by, by mistake. That could be a very costly mistake to have. And so having a template that already provisions the server without a GPU will you know, be a guardrail against spending that money if you didn't want to.

[00:25:18] Kevin Kohn: Perfect. Now the automation piece, I think is very clear.

[00:25:24] Leveraging AI for Anomaly Detection and Predictive Analytics

[00:25:24] Kevin Kohn: One of the buzzwords in the industry right now is AI.

[00:25:27] Jeff Dickman: Yeah.

[00:25:27] Kevin Kohn: Right, and we get into that. So how do you apply AI and leverage it to help you in this area?

[00:25:33] Jeff Dickman: Yeah, so a lot of vendors are really starting to implement AI into their products now. And so, what you're seeing is you're seeing anomaly detection and predictive analytics around the environment.

[00:25:43] Jeff Dickman: So these tools are analyzing, you know, not just your invoice, but maybe it's your log data. Yeah. And and other pieces of your environment and bringing together different tools that you may have as far as your operational management, your security management tooling, bringing all of that together and allowing you to analyze that data and make [00:26:00] correlations and recommendations based on that.

[00:26:02] Jeff Dickman: And so you'll see things like, hey, you've got these potential security threats or compliance issues, or you have inefficient usage that can all be linked in together and help you plan and prioritize remediation for those things. Excellent. Cost optimization is a big one for AI. All three clouds have this, where they're, they're looking at your environment now and, they're applying some machine learning or AI to the, to the invoicing and how your environment's configured to, to ensure that your spending is appropriate.

[00:26:28] Jeff Dickman: They have anomaly detection built into that, which is all AI powered , and so they're all, they're all looking at that and saying, here are your anomalies, here's your potential savings, and here's other things that you could be doing for right sizing and getting your environment cleaned up.

[00:26:40] Kevin Kohn: So when you're talking about millions of lines of billing statements, et cetera, in your billing statement, you're, you're, it, this goes beyond a human's ability to kind of come in and effectively and efficiently identify issues or anomalies.

[00:26:53] Kevin Kohn: I mean, you might have a scenario where somebody, has breached you and they've allocated a machine, that machine has got, A card on it that allows you to do Bitcoin mining or whatnot. And then it runs up this huge tab. There's all these types of things that can happen. How do you uncover that without these more advanced technologies like AI threat detection and, and, and optimization, the things that will come in and flag anomalies, et cetera.

[00:27:19] Kevin Kohn: So this is where AI, I think really, becomes beneficial and helps us scale better with our environment.

[00:27:26] Jeff Dickman: Yeah, depending on the level of governance that a, an environment already has in place, they may not detect it until, you know, days, maybe even weeks later when, when they get the invoice and they realize that they're, you know, way over what they expected to see, and then you have to go have those hard conversations with the cloud provider.

[00:27:43] Jeff Dickman: And see, you know, what can we do? How can we work this out? Because it could end up being like a business ending event if you don't get it addressed.

[00:27:51] Implementing Governance and Avoiding Costly Mistakes

[00:27:51] Jeff Dickman: And so making sure that you're you're, you know, first of all, implementing governance in your environment, because that's the first step, right? But then also getting tools in place [00:28:00] and getting capabilities built in your environment, whether it's cloud native, or it's bringing in a third party tool, or, you know, something to to be real time monitoring your environment and, you know, and tracking what's happening.

[00:28:11] Jeff Dickman: And if you have new services being enabled or turned on, getting alerts that those new services have been turned on, and then also putting in policies to prevent services and, you know, different regions, we don't use X, Y, Z region. So let's disable that region and make sure that services can't get spun up there because nobody's tracking it.

[00:28:27] Jeff Dickman: Right. We don't expect workload over there. So we're not going to see it if somebody does jump in and spin that up. And so that's really the first line of defense, but then getting to the point where you're leveraging AI, whether it's, you know, the, the tooling that's available within the vendors and implementing, you know, the anomaly detection and, and other pieces, or you're actually implementing your own versions of AI, where you're using natural language processing to interpret your regulatory standards.

[00:28:52] Jeff Dickman: into, into a different configuration, is something that you, may be looking at implementing. Overall, this can simplify your ongoing compliance reporting within the environment and so as you mature through governance, you want to definitely be looking at AI and how you can leverage it within that environment.

[00:29:07] Kevin Kohn: That's amazing. I mean, it's a cautionary tale. We've seen it before where, That very event happened in, in a customer's environment. They had an actor breach them, through social networking constructs, and got an account and, and was able to allocate resources. You know, we all think that the cloud companies will come in and save the day and say, Oh yeah, we see you got breached, we'll refund you that money.

[00:29:33] Kevin Kohn: But the reality is. They have to protect their interests too, and if you aren't set up in such a way that you are just taking the mere basic precautions to such events happening, they're probably going to turn you away when you come with your appeal and say, please help me defray the cost of this incredibly large, you know, cost, event that I had because of this breach, and they're going to say, you didn't have two factor authentication in.

[00:29:59] Kevin Kohn: [00:30:00] Well, we can't help you or you didn't and they'll go through that and AI will help us. Well-architected reviews will help us, all these things where we do assessments on the environment to make sure you're compliant with best practices, help us and all kind of rolls back into an appropriate governance model and would have been caught if you applied governance properly.

[00:30:19] Kevin Kohn: Would you agree?

[00:30:20] Jeff Dickman: Exactly. Yeah, I do completely agree. And, in any Cloud Center of Excellence that we implement, the first thing that we talk to the customer about is let's focus on best practices. What does each cloud provider say? Are the best practices and let's make sure that we're establishing those as a baseline and then layering on top any additional compliance or regulatory requirements that they have for their environment.

[00:30:41] Jeff Dickman: That way we're tracking the basics. And so if something does happen, at least we can tick the box that, you know, we were doing everything that The vendor said we should be doing. And so if something bad happened, it was the unexpected instead of things that are already know,

[00:30:54] Kevin Kohn: perfect. Thank you.

[00:30:56] Rapid Fire Questions: Metrics for Cloud Governance Success

[00:30:56] Kevin Kohn: Well, in the last few minutes here, just a couple of rapid fire questions.

[00:30:59] Kevin Kohn: I'm going to throw your way. Um, what are the key metrics or indicators you recommend monitoring to ensure cloud governance is achieving its goals?

[00:31:08] Jeff Dickman: So there's a variety here, and you can really dive down into the details on these as far as what they are. But, the main metrics that I would be looking for to make sure that governance is working is checking security and compliance.

[00:31:19] Jeff Dickman: How are you doing for security incidents or compliance violations? Things like that. Cost management is important and this varies from organization to organization. What you do, you need to make sure that these KPIs are relevant to your organization. But what's your cloud spend versus your budget?

[00:31:32] Jeff Dickman: What's your cost per service? How is charge back being reflected and what's your tagging coverage with within your environment? The next would be operational efficiency. I think that that one's really critical because one of the less tangible costs of cloud is is how's your operations team doing?

[00:31:48] Jeff Dickman: What's your deployment time? What's your incident resolution time? How many manual processes do you have and is that number going down over time? Then I would look at innovation enablement. And so you know, what's your innovation [00:32:00] velocity? How quickly are you able to take an idea of a new service you want to implement within the cloud?

[00:32:05] Jeff Dickman: To the actual implementation and release of a capability to your organization. I'd look at customer satisfaction within innovation as well. How, how well are you innovating for your customers and providing them with capabilities that are really going to, to service them? You really want to make sure though, that you're also doing Shadow IT detection within that.

[00:32:23] Jeff Dickman: If you have shadow IT. It means that you are inhibiting innovation. And so you need to really take a hard look at your governance policies at that point and see what are we doing. And why is this still causing Shadow IT to be developed? So those are probably the most important metrics overall, like from a high standpoint that I'd be looking at.

[00:32:41] Jeff Dickman: But the I've kind of touched on it a minute ago, but you want to make sure that you're tailoring these metrics to your organization. It makes no sense to track a metric. Like maybe you don't do chargeback. And so there's no reason to do a show that group because the business isn't interested in that right now.

[00:32:56] Jeff Dickman: So you may not have to do that metric or track it. You want to make sure that you're doing trend analysis, so not just what were the numbers today, but how are we looking over the last month, six months, a year, or, or even longer and looking at what your trends are, because that's really going to tell you how well your governance is doing.

[00:33:11] Jeff Dickman: Typically your metrics are going to say lower is better, so you're going to want to be looking at that and seeing are we trending down, from a, from a metric standpoint. And then you want to be also tracking regular review of your metrics. So making sure that you are reviewing them at least every month from a, from a FinOps standpoint.

[00:33:28] Jeff Dickman: Ideally you want to at least be touching on them and giving, giving your different governance pieces a seat at the table on a weekly basis to be talking through their particular metrics and and the things that are important to them

[00:33:38] Kevin Kohn: and just circling back to what you said at the beginning.

[00:33:40] Kevin Kohn: Governance is about enablement. It's not about hindering, right? And so when you talk about Shadow IT and discovering Shadow IT. If you're finding Shadow IT in the environment, it's because you're not the, the process isn't working for somebody in your organization.

[00:33:56] Kevin Kohn: So having that relationship between your IT group [00:34:00] and who, whichever group is using Shadow IT and identifying and saying, why are you using your own means to get to the, to serve your, your requirements from a technology perspective.

[00:34:11] Kevin Kohn: And they might enlighten you and say, well, I'm, I'm not getting feedback or I'm not getting the appropriate technology fulfillments in a timely manner or, or whatever. There could be a host of reasons, but that conversation itself is indicative of a maturity in your environment. That you're, you're identifying a team, you're meeting together, you're expressing your concerns and they're expressing their concerns back, all go towards a more mature environment and their feedback is valuable.

[00:34:39] Kevin Kohn: And you might say, well, I don't believe in that approach. But their concern is valid. So you just say, well, let me find a way to address your concern and add it to my governance approach. Right. And so I think those things all matter as well.

[00:34:53] Jeff Dickman: Yeah. At the end of the day, your customers and the folks that are potentially standing up a Shadow IT. They're pushing towards an outcome, and so understanding that outcome. This is why I love outcome based approaches so much because that's really what everyone's going towards. They're going to an outcome, and they're looking at your governance model or your processes, and they're saying I can't get to my outcome with with the way that things are currently configured, and so they will go and, you know, stand up the resources outside of your governance so that they can continue to innovate and get the things done that they want to get done.

[00:35:22] Jeff Dickman: Yeah.

[00:35:23] Kevin Kohn: Excellent.

[00:35:25] Effective Strategies for Managing Cloud Costs

[00:35:25] Kevin Kohn: The next question, what strategies have you found most effective for managing cloud costs and avoiding budget overruns, especially in decentralized ITR structures? You know, this goes again to our FinOps discussion.

[00:35:38] Jeff Dickman: Yeah. So, but cost is the biggest reason why we get brought in with a lot of customers is because they want to get their arms around their costs and get things done.

[00:35:45] Jeff Dickman: And so, FinOps engagements are really common right now. But the first thing that you want to do that this, you know, it's kind of a brushstroke statement, but you want to foster a cost consciousness and accountability towards what's happening in the environment. This is really education and [00:36:00] training.

[00:36:00] Jeff Dickman: You want to train your people to think about costs and treat the cloud as though it was their own. Server. And so, you know, if you had to run that on your family budget, what would you do? How would you handle that? And what would you do to, to manage your costs and maintain them? So training your teams on, on that and getting them to be cost conscious as they're building their infrastructure instead of just saying, It needs 12 CPUs and, you know, 64 terabytes of RAM.

[00:36:25] Jeff Dickman: What does it really need? And, and let, let's really dial it in and get it right. And then making sure that your non technical staff is trained on best practices for cloud pricing and is able to have those conversations with, with the cloud vendors and say, listen, this is what we're looking for, and this is what we're doing , and so then they can, they can then understand. When the technical team say we need to provision X, Y, Z resources, they can understand and ask the right questions about what's it gonna cost. And what's it really going to cost? Not, not what do you think it's going to cost type discussions. The next would be to implement practical cost savings.

[00:36:57] Jeff Dickman: So this is all that low hanging fruit and there is so much of it within that 32 percent that you, you talked about at the beginning, that that's really waste within most clouds. This is things like shutting off your development environment. So setting up a scheduled job to, to power services servers down.

[00:37:11] Jeff Dickman: So you don't get charged for them. You still pay for the storage, but you don't pay for the compute, which is a big part of that cost. So doing those kinds of things and then also implementing right sizing. So looking at your servers and really like analyzing them to say, You know, is this the right configuration for this?

[00:37:26] Jeff Dickman: Are we over provisioned on CPU memory or storage for it? And can we, can we scale that down? Then implementing reserved instances and spot instances. So the cost savings that the vendors will give you, if you're committing to long term usage, that's really important for those cost savings mechanisms.

[00:37:41] Jeff Dickman: And then, where appropriate for, you know, sandbox or labs or things like that, leverage the free tiers. So spin up a new account. to to do a prototype, use the free tier stuff and then destroy that account when you're done. So those would be some of the cost savings mechanisms that you could use.

[00:37:55] Jeff Dickman: Proactive alerting is important for your budgets and for anomaly [00:38:00] detection and regular reviews... centralizing your expertise. So we're in a decentralized IT. Let's talk about centralizing expertise around governance so that you have the same instead of having three people that are responsible for compliance, bring them into a team and bring them together so that they're more central as far as what they're doing.

[00:38:16] Jeff Dickman: And then they can sort of, you know, begin to develop those best practices within the organization that can be broad brushstrokes within that and then going back and negotiating your vendor agreements better. Right, as they come up for renewal, you want to take advantage of those.

[00:38:29] Jeff Dickman: Some other things that you can do; game days are fantastic.

[00:38:32] Jeff Dickman: You, open up your, your teams to say, we have X, Y, Z use case, you know, you give them some broad information and you turn the teams loose to go develop solutions. And you may implement those solutions within your environment as, as new applications, new services, new capabilities that, that you solve. And then the last piece of that is share the success.

[00:38:51] Jeff Dickman: Right. Oh, IT often only hears about the challenges and the problems and the things that went wrong. When there are success stories, as far as things that you did with governance, we blocked this attack or our compliance score has gone up for, for how well we're doing in the environment or, you know, what, whatever those KPIs are, when you have successes, share those and communicate those broadly, because that helps drive a lot of the, the consciousness of governance within the environment.

[00:39:17] Kevin Kohn: Right. Okay. Great.

[00:39:19] Revamping Your Cloud Governance Strategy for Immediate Impact

[00:39:19] Kevin Kohn: Well, last question to those companies who are looking to revamp their cloud governance strategy. What are those first steps that you would recommend that they should take to facilitate that smooth transition and make an immediate impact on their environment? Yeah, the goal here is immediate impact, right?

[00:39:37] Kevin Kohn: You can boil the ocean setting up governance and, and what you'll find is that it never really gets off the ground because you try to accomplish too much and so, the way that you sort of get to a, a governance strategy quickly is you do some assessments and planning. And so you want to gather your requirements and your goals, your outcomes.

[00:39:53] Kevin Kohn: Again, as far as what you want to accomplish with governance. You then look at your existing strategy and, and how does that [00:40:00] align with your goals? What needs to change? And so you're really doing a gap assessment at that point, and then you build your roadmap and your action plan as far as what are we going to do 3, 6, 12, 18, 24 months out. And so take, take it in chunks, but know that your first objective should be to set up a Cloud Center of Excellence or cloud business office, charter it, get the right people into it and start meeting and start actually having conversations about your, your objectives and your strategy to, to do that.

[00:40:27] Kevin Kohn: Because one of the things that you'll find is. You may put a 24 month strategy out there and six months into it. Things are going to change. Unfortunately, that's the state of the world now. And so, you know, a 24 month plan is a good directional indicator of where you need to go, but you also need to be meeting regularly to say things have changed.

[00:40:43] Kevin Kohn: Let's update our strategy, or, maybe there's a new compliance requirement that needs to be addressed or something like that. And so you want to make sure that your governance team is able to be agile around those things and make that happen. Once you've done that, It's immediate wins is what you're going for.

[00:40:56] Kevin Kohn: You want to build that positive attitude around your governance. And so , getting some standardization in place, providing visibility into the reporting metrics that you're looking at and sending those out, making them available to the entire organization , so that they can look at them and they can ask questions and be open to questions when you start providing visibility, because sometimes your ideas for improvements won't come from internal to your, your teams.

[00:41:19] Kevin Kohn: It may, it may not be They come from external to the business. They may look at something and go, Why is that server still up? We decommissioned using it six months ago, and suddenly you've got to win. So, that visibility is really important. Looking at cost optimization looking at your, you know, spend and reporting on that and also identifying those opportunities for immediate optimization. So recovering of underutilized servers or unused servers , looking at your object storage and maybe putting life cycle policies in place and getting some of that stuff archived out would be, would be useful stuff there. And then setting budgets and thresholds around your different environments and begin tracking those and reporting on them and reporting on the overruns or, or potential overruns that go with them.

[00:41:58] Kevin Kohn: Security should be in this. They are [00:42:00] on the same team and so you want to make sure that they're involved and they're conducting posture assessments and looking at the vulnerabilities and potential threats within the environment and, and that they're partnered with you to implement automation for security checks and vulnerability scans across the environment.

[00:42:15] Kevin Kohn: And then the last piece of this is the communication and training. And so you, you want to make sure that you're constantly communicating with the organization. Here's what we're governing. Here's what we're doing. Here are the, the guardrails that we're putting in place to keep things on track. And, and here's how we are improving.

[00:42:30] Kevin Kohn: You also want to make sure that that training includes best practices that you expect everyone to be following within the environment, and also again, how to manage costs and to have that cost awareness of things that are being provisioned and how things are being managed, excuse me. And then when there are questions being open to those questions and creating an escalation process around questions so that you're sort of putting together an FAQ for your environment over time, that when people ask questions, they can go to the FAQ or there's an escalation process to get the answer that they're looking for within that.

[00:43:02] Kevin Kohn: Beautiful.

[00:43:03] Kevin Kohn: Wow, it's almost like a master's degree in governance just consolidated down to the short time. Appreciate the, the insights and quite honestly, the, the real world experience in governance, Jeff, and thanks for taking the time to go through these questions with us.

[00:43:20] Jeff Dickman: My pleasure, Kevin. Thanks for inviting me.

[00:43:22] Kevin Kohn: All right. We'll talk soon.

Written By: Kevin Kohn