Cloud Governance with ‘x’Ops -Part 3

By April 1, 2021 Powerlearnings

Compiled by Kiran Kumar, Business analyst at Powerup Cloud Technologies

Contributor Agnel Bankien, Head – Marketing at Powerup Cloud Technologies

Summary:

The xOps umbrella consists of four major ops functions broadly categorized under cloud management and cloud governance. In our previous blogs, we had a detailed look at how IT Ops could be built effectively and by what means DevOps and CloudOps play a major role in cloud management functions. In this concluding blog of the xOps series, we will have a close look at the financial and security operations on cloud and its significance in cloud governance that has paved the way to a more integrated and automated approach to cloud practices.

Index

1. Introduction

2. What is FinOps?

3. FinOps Team

4. Capabilities Architecture

4.1 FinOps Lifecycle

4.1.1 Inform

4.1.2 Optimize

4.1.3 Operate

5. Benefits of FinOps

6. What is SecOps?

7. SOC & the SecOps team

8. How SecOps works?

9. Benefits of SecOps

10. Conclusion

Optimizing cloud governance through FinOps and SecOps

1. Introduction        

According to Gartner, the market for public cloud services will grow at a compound annual growth rate of 16.6% by 2022. A surge in the usage of the cloud has determined organizations to not only upscale their capabilities to be more reliable, compliant, flexible, and collaborative but also equip themselves to handle their cloud finances and security more effectively.

Financial operations, widely known as finOps has led businesses to become vigilant and conscious about their financial strategies and analytics to plan, budget and predict their required cloud expenses better, helping gain more flexibility and agility in time.  

In today’s technology-driven business environments, data is the biggest asset and securing our data, applications, and infrastructure on cloud is a massive concern with growing cloud practices. 69% of executives surveyed by Accenture Security’s 2020 State of Cyber Resilience state that staying ahead of attackers is a constant battle and the cost is unsustainable. With the global IT spends close to $4 trillion, modernized security strategies combined with business operations need to be implemented right from the beginning of the software development lifecycle.

In the first two parts of the ‘x’Ops series, we saw how IT Ops could be built productively by focusing more on DevOps and CloudOps.

The xOps umbrella consists of four major ops functions broadly categorized under cloud management and cloud governance and in this conclusive blog of the xOps series, we will have a close look at cloud governance through FinOps and SecOps practices.

2. What is FinOps?

FinOps is short for Cloud Financial Management and is the concurrence of finance and operations on cloud. 

The traditional setup of IT was unaware of the inefficiency and roadblocks that occur due to the silo work culture, limitations in infrastructure adaptability with regards to business requirements and the absence of technology-led cloud initiatives.

With the onset of FinOps, the people, process and technology framework was brought together to manage operating expenses as well as impose financial accountability to the variable spend on cloud.

Organizations needed to establish efficient cost control mechanisms in order to enable easy access to cloud spend and devise steady FinOps practices.

3. FinOps Team

Workforces from every level and area of business would have unique individual roles to play in the FinOps practices.

Executive heads like VP of Infrastructure, Head of Cloud Center of Excellence, CTO or CIO would be responsible for driving teams to be efficient and accountable while also building transparency and controls.

FinOps practitioners would be focused on forecasting; allocating and budgeting cloud spends to designated teams. FinOps experts would typically include FinOps Analyst, Director of Cloud Optimization, Manager of Cloud Operations, or Cost Optimization Data Analyst to name a few.

Engineering and operations departments comprising of Lead Software Engineer, Principal Systems Engineer, Cloud Architect, Service Delivery Manager, Engineering Manager or Director of Platform Engineering, would focus on building and supporting services for the organization.

Technology Procurement Manager, Financial Planning and Analyst Manager and Financial Business Advisor would form the finance and procurement team to use FinOps team’s historical records for future requirements and forecasts. They would work closely with FinOps to understand existing billing data and rate negotiation techniques to construct enhanced cost models for future capacity and resource planning.

Thus for organizations operating on the FinOps model, a cross-functional team known as a Cloud Cost Center of Excellence would be set up to strategize, manage and govern cloud cost policies and operations as well as implement best practices to optimize and stir up the enterprise cloud businesses.

4. Capabilities Architecture

Organizations adapting to FinOps practices, need to primarily inculcate a cultural change, to begin with.

Cloud cost forms a significant part of performance metrics and can be tracked and monitored to determine the right team size as per workload specifications, allocate container costs, identify and compute unused storage and highlight inconsistency if any, in the expected cloud spends. 

FinOps is a trusted operating model for teams to manage all of the above. Technology teams can collaborate with business and finance teams to shape informed decisions, drive continuous optimization and gain faster financial and operational control.

4.1 FinOps Lifecycle

The FinOps journey on cloud consists of three iterative stages – Inform, Optimize, and Operate. 

4.1.1 Inform

Provides a detailed assessment of cloud assets for better visibility, understanding, budget allocations, and benchmarking industry standards to detect and optimize areas of improvement.

Considering the dynamic nature of the cloud, stakeholders are compelled to customize pricing and discounts, ensure accurate allocation of cloud spends based on business mapping, and ascertain ROIs are driven in view of the set budgets and forecasts.

4.1.2 Optimize

Once organizations and teams are commissioned, it is time to optimize their cloud footprint.

This phase helps set alerts and measures to identify areas that need to spend and redistribute resources.

It generates real-time decision-making capacity regarding timely and consistent spends and recommends application or architecture changes where necessary. For instance, to increase usage commitments, cloud providers often strategize to offer lucrative discounts on reserved instances in order to increase usage commitment levels. Also,     cloud environments can be optimized by rightsizing and automation to curb any wasteful use of resources.

4.1.3 Operate

Helps to align plans and evaluate business objectives through metrics on a continuous basis.

Optimizes costs by instilling proactive cost control measures at the resource level.It enables distributed teams to drive the business by following speed, cost, and quality. This phase provides flexibility in operations, creates financial accountability to the variable cloud spends, and helps understand the cloud finances better.

5. Benefits of FinOps

  • The shift to FinOps empowers teams to build a robust cloud cost and ROI framework.
  • Enables organizations to estimate, forecast, and optimize cloud spends.
  • Improves the decision-making process of enterprises and provides traceability to the decisions made.
  • Helps in financial, procurement, demand, and operational management on cloud.
  • Increases cost efficiency, helps teams attain clear visibility to make their own financial choices with regards to cloud operations.
  • Creates a finance model that conforms to the dynamics of the cloud business.

 6. What is SecOps?

As per the latest studies, 54% of security leaders state that they communicate effectively with IT professionals to which only 45% of IT professionals agree. As IT operations stress upon rapid innovation and push new products to market, security teams are weighed down with identifying security vulnerabilities and compliance issues. This has created a huge mismatch between the IT and security teams that needs to be jointly addressed and resolved effectively.

SecOps is the integration of IT security and operations teams that combine technology and processes to reduce the risk and impact on business, keep data and infrastructure safe, and develop a culture of continuous improvement to eventually enhance business agility. SecOps ensures data protection is given priority over innovation, speed to market, and costs at all times.

7. SOC & the SecOps team

SecOps teams are anticipated to interact with cross-functional teams and work 24/7 to record all tasks and mitigate risks. For this purpose, a Security Operations Center (SOC) is established that commands and overlooks all security-related activities on the cloud.

The Chief Information Security Officers (CISOs) are primarily responsible for assembling a synergetic SecOps team that defines clear roles and responsibilities and devises strategies to restrict security threats and cyber-attacks. Every SecOps team will comprise of:

  • An incident responder, who identifies, classifies and prioritizes threats and configures as well as monitors security tools.
  • Security investigator that identifies affected devices, evaluates running and terminated processes, carries out threat analysis and drafts the mitigation strategies.
  • An advanced security analyst is responsible for recognizing hidden flaws, reviews and assesses threats, vendor and product health; recommends process or tool changes if any. 
  • SOC manager manages the entire SOC team, communicates with the CISO and business heads and oversees the entire people and crisis management activities.
  • Security Engineer or architect who evaluates vendor tools takes care of the security architecture and ensures it is part of the development cycle as well as compliant to industry standards.
  • SecOps has lately seen many new cybersecurity roles unfold. Cloud security specialists, third-party risk specialists, and digital ethics professionals to name some. These roles essentially highlight the vulnerabilities in supply chain processes, privacy concerns, and the impact of cloud computing on IT businesses.

8. How SecOps works?

Gartner states that through 2020, “99% of vulnerabilities exploited will continue to be the ones known by security and IT professionals for at least one year.”

Therefore, the most important aspect is to establish security guardrails and monitor the security spectrum on the cloud continuously.

Dave Shackleford, principal consultant at Voodoo Security stated that for a SOC monitored cloud, SecOps teams must:

  • Establish a discrete cloud account for themselves to ensure entire security controls lie solely with them,
  • Administer multifactor authentication for all cloud accounts while also creating a few least privilege accounts to perform specific cloud functions as and when required and
  • Enable write-once storage for all logs and evidence.

Moreover, the SecOps team must ensure to be primarily responsible and accountable towards security incidents with proactive and reactive monitoring of the entire security scope of the organization’s cloud ecosystem.

According to Forrester Research, “Today’s security initiatives are impossible to execute manually. As infrastructure-as-a-code, edge computing, and internet-of-things solutions proliferate, organizations must leverage automation to protect their business technology strategies.”

Additionally, firewalls and VPNs are no longer considered competent enough to combat the present day’s advanced security threats.

Therefore, it is believed that enterprises that automate core security functions such as vulnerability remediation and compliance enforcement are five times more likely to be sure of their teams communicating effectively. 

Businesses need to implement SecOps practices:

  • That can apply checks on their cloud environment concerning security benchmarks and guidelines as per industry standards.
  • Use vulnerability management tools to scan, analyze and detect potential security-related risks and threats.
  • Assure access authorization and employ frameworks that automate user behavior, profiling, and control.
  • Conduct recurrent audits as preventive measures to keep a check on cloud health and status
  • Use AI to automate SecOps that encapsulate incident detection, response, and analysis, help categorize, prioritize and mitigate threats, recommend remediation, detect unused resources and assign risk scores.
  • Dispense SecOps software that caters to DNS, network, and anti-phishing security along with the application of advanced analytics like data discovery.
  • Implement cloud orchestrations to coordinate automated tasks and consolidate cloud processes and workflows for a more sophisticated and proactive defense.
  • Last but not the least, implement best practices to ensure continuous monitoring and structuring of cloud security operations.

9. Benefits of SecOps

Security and operations together provide:

– Continuous protection of data, applications, and infrastructure on cloud

– Prevention and mitigation of risks and threats

– Speedy and effective response time

– Adherence to compliance standards

– Cost savings from optimizing security measures

– Building security expertise and

– Instilling flexibility and high availability while eliminating redundancy in business operations.

10. Conclusion

With the onset of development, security, finance, and cloud operations coming together under one umbrella, IT operations have gained immense competency in cloud-based services.

The current trend facilitates Dev+Sec+Ops teams to collaborate and incorporate security-related strategies, processes, and policies from the inception phase of the

SDLC. The idea is for everyone to be responsible for security by strategically placing security checkpoints at different stages of the SDLC.

Moving forward, the future of SecOps will be relying more on AI and machine learning tools to construct powerful, intelligent, and dynamic SecOps strategies.

83 % of the organizations admit that with stronger security operations on cloud, their business productivity has appreciably risen. Their security risks have significantly decreased by 56 % while overall costs have come down by almost 50 % improving the ability to be more agile and innovative.

Leave a Reply