Cloud Anti-Pattern: Guardians at the Gate
In one of my previous posts, I wrote about how the choice and selection provided by AWS Cloud is a good thing for builders versus the perception that too many services cause confusion. The point I made is that we are in an era where we should expect to see the creation of many more new digital building blocks expanding the set of AWS cloud services. During last week’s AWS re:Invent 2018 conference, there were 34 new products launched and many more new features added to existing services. For example, AWS launched a new time-series database called Amazon Timestream and a ledger database called Amazon QLDB. Builders now have six families of data stores to choose from, not to mention the sub-choices within the relational database family (e.g., Aurora, MySQL, etc.).
At my prior company, I was responsible for enterprise architecture, and one of the tenets I instituted to help combat past problems was “horses for courses.” We have all seen how technologies can become the hammer and all solutions and problems can look like nails. We saw this most prominently with the relational database, which became a jack of all trades but master of none. How many of you have tried using a relational database for search use cases? Not fun.
The best solutions are those that are built with technologies that address specific needs. In-memory databases for caching, NoSQL for key value pairs, and the list goes on and on. Giving your development teams access to the best tools for the job should be a priority for any organization.
However, there is a challenge that I see every enterprise struggle with as they adopt the AWS cloud and begin to expose the choice and selection of cloud services. Sometimes the adoption of AWS in enterprises has its start outside of the centralized IT organization (with or without IT’s blessing), often out of the need to implement a new digital capability quickly due to the selection and agility the cloud provides. But as the footprint of AWS grows, concerns around security and operations become prominent, and IT is asked (or forced) to take over management of the AWS cloud environment(s). It is during this period that IT, carrying the mantle of security and operations, takes on a guardian mentality. I am not saying this is a bad thing. At AWS, security is job zero. But when it becomes the only thing it can cause friction when the need is for less friction.
The cloud anti-pattern that I see arise is what I call the Guardians at the Gate. Imagine if you were to go to your local home improvement store, but before you walk in someone stops you and asks what you need. You tell them that you are there to get a specific kind of cordless drill, screws, and lumber, but they tell you you are not allowed in the store. They will get the items for you. Even worse, you are told your order is being overridden because the cordless drill is not approved for use and not “safe.” It gets worse, because they also tell you it will take one week to fulfill your order as there are twenty people ahead of you and those orders are being inspected and approved for use. As infuriating and silly as this sounds, it’s unfortunately the reality for many enterprise development teams.
On the flip side, I have seen where, using the analogy above, there is no one in the store manning the registers and no security. People come in and take products without paying for them (while the company still pays and doesn’t know who has taken the product). Or worst yet, unauthorized individuals come into the store and do something malicious. Somewhere between these two ends there is an experience that preserves the self-service nature and allowance of choice that AWS provides, and the service and security that every enterprise needs.
The key is striking the right balance between the two. In some sense, the balance is no different than any great in-store experience. There should be someone to help answer where to find what you’re looking for, providing expertise for products, and helping with financing and support.
At AWS, we’ve published guidance that we call Governance@Scale. Governance at Scale helps companies establish centrally managed budgets for cloud resources, oversight of cloud implementations, and a dashboard of the company’s cloud health. To enable this, the policies and mechanisms are separated into three governance at scale focal points:
- Account Management: Automate account provisioning and maintain good security when hundreds of users and business units are requesting cloud based resources.
- Budget & Cost Management: Enforce and monitor budgets across many accounts, workloads, and users.
- Security & Compliance Automation: Manage security, risk, and compliance at a scale and pace to ensure the organization maintains compliance while minimizing the impact to the business.
I was especially excited to hear the announcement of AWS Control Tower and AWS Security Hub, two new services that will help enterprises manage their AWS environments. My colleague, Jon Allen, already blogged about both of these services because he hears just as much as I do the challenges enterprises face around cloud adoption at scale. We also have partners such as Cloudtamer.io, Turbot, and Dome9 Security who can help implement Governance at Scale practices.
The combination of customer obsessed cloud operating and architectural tenets, Governance at Scale practices, along with AWS and partner tooling can help enterprises create amazing cloud experiences for business users, developers, operators, and security specialists.
Never stop innovating,