Let's get on each others' calendars.

What is Cloud Governance

(And Why You’ve Got it Wrong)

“Don’t worry, I’ve heard this works!”

This was what I was told as my friend filled their car up with vegetable oil. They’d heard that someone had run their car on a mixture of mostly used fryer oil, and thought that theirs would work on something similar.

The car was a write-off.

You shouldn’t use a tool for something it’s not designed to do, as you run the risk of doing irreparable damage. This is especially true with things that are “common knowledge”, such as cloud governance.

Cloud governance is often treated as a solution to managing cloud finances, whereas that simply isn’t true. That’s why we here at Aimably will show you what cloud governance actually is, what it’s designed to do, and what you should be using it for.

If you want to skip ahead, here’s a rundown of the sections of this post:

  • You wouldn’t stop a baker from making dough
  • What is cloud governance?
  • What problems are cloud governance designed to solve?
  • What is cloud governance also used to (badly) solve?
  • Pros and cons of using cloud governance to manage finance
  • How to manage cloud finances the right way

Let’s dive in.

You wouldn’t stop a baker from making dough

Close up photo of a bread dough on a working table sitting on a layer of flour. The baker's hands are shown above the dough messy with dough on the fingers, implying that the baker is in the process of kneading the bread.
Source by Nenad Stojkovic, image used under license CC BY 2.0

Let’s say that you run a small business. A bakery, for instance.

It’s a small operation, with a handful of people (at most) who all have set jobs to do, and access to match. The baker has the keys to the kitchen and access to your ordering service to batch buy ingredients, you have the keys to the building to open and close shop every day, and your cashier has the keys to your checkout.

Everyone knows what they need to do and can’t access what they shouldn’t even if they wanted to.

Now let’s say that your profitability is low and you want to improve it. You take a look at your expenses and see that buying ingredients is near the top of the list.

“Well,” you say, “if I take control of ordering ingredients instead of the baker, we can spend less by only ordering exactly what we need. Problem solved!”

We all know what happens next - the baker has to jump through hoops to get the ingredients they need to make the product that you sell to make a profit. In your pursuit to save money you’re literally making less dough in every sense of the word.

Now let’s apply the same situation to a company that’s running with cloud-based solutions.

Everyone has a set job to do and the permission levels to match. Engineering can request greater cloud computing solutions as needed and everything’s running smoothly.

Then, whether through your own leadership, pressure from investors, or something else, you need to cut costs or at least reduce the rise in spending. You or perhaps the Head of Engineering notice that spending most rapidly increases as a result of engineers increasing your cloud spend.

So you look to put a stop to that.

You look into a cloud governance solution.

What is cloud governance?

White illustration on a dark turquoise background. Illustration is of a cloud with a downward arrow coming from the cloud. Connected to the cloud are a variety of circles with thin connector lines, implying connected nodes.
Source, image used under public domain

Cloud governance, and more specifically AWS governance, refers to a suite of permissions controls. These allow you to quickly change and manage who has permission to perform certain activities when it comes to your cloud solutions.

The permission controls that cloud governance provides can be manually configured in AWS, or automated through a dedicated third-party governance tool.

In other words, think of it like a security system in your bakery that lets you stop the baker from being able to order ingredients, or the cashier from accessing the checkout without your permission.

It’s a way to increase security and prevent people from making decisions which will affect your finances, specifically in relation to your AWS usage and spend.

There are plenty of situations where having a dedicated cloud governance tool (or set of rules within AWS) could be useful. To name but a few:

  • Your company might need to adhere to SOC 2 standards, meaning that certain employees/roles should not have the permissions to change code and deploy it at the same time
  • Your company is concerned that certain engineers might be able to change the infrastructure and you want to restrict their access to do this
  • Your company is worried that a bad actor could try to access your systems and infrastructure via employee-level accounts, and you need to limit the impact of this as a safety precaution

These and more are all perfectly valid reasons to look into cloud governance.

However, there is a very important distinction (and common mistake) that we need to clear up. That is, the difference between what cloud governance is designed to help with, and what many companies try to use it to solve.

What problems are cloud governance designed to solve?

Illustration of a white cloud outlined with a lock symbol centered in the cloud. Behind the illustration is a panel of binary zeros and ones, implying code.
Source by Blue Coat Photos, image used under CC BY-SA 2.0

In short, cloud governance solutions are designed to solve one thing; security concerns.

By limiting the access of certain employees and/or roles to specific activities, you can directly control who has the power to change vital aspects of your business.

From data security and risk management to asset creation and deployment, and even AWS allocation, cloud governance provides the framework under which much of the technical side of your business can be maintained.

Let’s put this into perspective by returning to the bakery example.

You’ve been looking into your finances and something isn’t right - the spending on ingredients is way too high. Not only that, but a disproportionate amount of your stock (ingredients and fresh products) has to be thrown away before it goes rotten.

Your baker isn’t taking enough care with ingredient contamination, and someone has a reaction to nuts in a product you’ve advertised as being nut-free.

So, you crack down on food hygiene policies, forcing them to wear gloves and use a different workstation (and tools) when prepping allergenic food.

You’ve also noticed that money isn’t being counted up correctly at the end of the day. Nothing is missing, but your cashier isn’t closing their workstation properly.

So, you create a checklist and have them run through every step of it at the end of their shift to close the shop properly. They then pass the checklist to you to be checked before they sign out for the day - if a step isn’t followed, you can call them on it and make them do it properly.

In cloud governance terms, these two situations could be an engineer expanding your AWS more than they need to, or publishing code without it being checked properly.

What is cloud governance also used to (badly) solve?

A messy pile of US currency in a variety of denominations.
Source, image used under Pixabay license

Unfortunately, cloud governance isn’t just used to solve security and access issues. Many companies also use it to try and solve finance issues.

Much like FinOps, cloud governance is often used as a way to try and reduce costs when the reality is that it just isn’t designed to do that.

If you rely on conventional knowledge when looking into how to reduce your engineering spend, cloud governance gets mixed into the solution because, the logic goes, if your engineers can’t (or have to jump through hoops to) increase spending then you’ll save money.

“Conventional wisdom, and plenty of online advice, told me that I should be adopting strict cloud governance procedures to rein in spending, but I fundamentally believe that the more you lock down your team the more you kill innovation.” - Michael Webb, CTO & CPO, Identity Automation

To truly understand this problem, let’s dive into the pros and cons of using cloud governance to manage finance.

Pros and cons of using cloud governance to manage finance

The first (and really only) benefit to using cloud governance to manage finances related to cloud computing is that you’ll probably see a drop in spending or, at least, a reduction in the rate at which AWS spending increases.

On the other hand, there are plenty of reasons why doing so is a bad idea.

Once again, cloud governance isn’t designed to manage your finances - it’s designed to handle security through access and permission levels. This becomes most evident when looking at how much it interferes with your engineers’ ability to do their jobs.

Think again of your fictional bakery for a moment.

A photo of baked items ready for eating, including breads, loaves, buns, bagels, bear claws and cinnamon rolls. Some items sit on a black surface, others in a basket, and others on a bread board.
Image by Marco Verch, image used under license CC BY 2.0

You need to reduce costs, and do so by stopping your baker from being able to order ingredients. Now they have to run orders by you before anything happens, and you can reduce the order if you think they’ve put down too much.

This is a one-way ticket to running out of products to sell to hungry customers, as your baker won’t have enough to make items to meet demand.

In the same way, if your engineers can’t troubleshoot bugs or deploy urgent fixes without jumping through 5 rounds of approval, their capacity to run your services efficiently is massively reduced. You’re effectively stopping them from doing their job effectively.

Not to mention the lack of faith this shows in your workforce.

Think about it; you’ve restricted access to certain functions with specific employees. These are actions that they’ve been able to do in the past, and form a core part of their job.

You’re telling them that you don’t trust them.

At the very least you’re saying “I don’t trust you to not make a mistake and cost us a ton of money”, and at worst you’re telling them “I don’t think you’re capable of doing your job in its entirety”.

Now, I realize that you might think that it’s worth it to neuter your engineers’ effectiveness and give your employees a bad image of yourself if you can save some money.

The problem is… there are much better ways to manage your finances when it comes to cloud computing.

How to manage cloud finances the right way

Interior signage in a conference hall at a tradeshow displaying the AWS smiley logo. In front of the wall an signage you can see people moving about carrying backpacks and work bags.
Source by Andy Hay, image used under license CC BY 2.0

First up, it’s unlikely that you or your engineers will know what state your cloud finances are in.

I don’t mean knowing what your final bill is (finance will have a handle on that), I mean knowing what your money is being spent on, why it’s being spent on those things, and whether it’s worth spending that much.

AWS is notoriously vague when it comes to finances, and lacks any easy dashboard for viewing this information in a single place.

Second, if you did have some way of seeing your cloud finances in one place and knew for certain that your engineers were expanding AWS too fast, the solution isn’t to stop them from being able to do so.

The best thing you can do is show them what their decisions are costing and give them the context they need to know when expanding cloud services is worth it financially.

For one final time, we’re heading back to the bakery.

What you think is an ignorant baker spending too much on wasteful ingredients is, in fact, a baker who doesn’t know how much the ingredients cost and doesn’t know how many products are used or thrown away as excess.

Slapping them on the wrist and taking away their ability to order flour is a one-way ticket to them losing respect for you and potentially quitting.

Instead, show them your receipts, let them know how much sugar and flour cost, and demonstrate what the demand is for what they’re ordering. Let them know the cost and give them the context to know whether it’s worth it.

If requirements go up, they should still be able to order ingredients to fit the new demand without stopping to verify with you and wasting time. You just need the knowledge of your own finances to give them that context.

That’s where Aimably comes in.

Aimably provides the dashboard summary that cloud services don’t give you, doesn’t cost an arm and a leg to use, and doesn’t require any special training to get started. You can jump in, check out your cloud finances right now, and get to work keeping your costs in line without losing the faith and respect of your employees.

In short, if you’re looking to increase security then yes, cloud governance is the practice for you. Just don’t be surprised if you’re trying to reduce spending and you’re left with a discouraged workforce and a severe lack of dough.

Engineering Concepts for CFOs