Automated Governance and Continuous Compliance in Azure Government
It is no secret that federal agencies are under constant pressure to digitally transform and innovate. Agencies are on the hook to modernize processes and accelerate IT service delivery to better meet the needs of both citizens and stakeholders. At the same time, agencies must stay on pace with evolving policies and regulations. It is a true balancing act between driving value and remaining compliant.
When it comes to the cloud, there are self-service provisioning and automation capabilities that help pave the way to success. These features help engineering teams to leverage DevOps practices to accelerate application development and establish continuous delivery. Yet, without proper governance in place, you quickly experience the phenomenon of “Cloud Sprawl”—as cloud resources are spinned out quickly, the complexities increase. Eventually, your environment descends into chaos.
To avoid this fate, governance is needed. Security and financial controls have to be established without sacrificing speed of delivery. Guardrails—not speed bumps—must be in place that help define the necessary control boundaries and keep agencies on track. This is true for both the native and hybrid cloud. Hybrid tends to be more Infrastructure as a Service (IaaS)-focused, which has much more scalable, mature governance models and tooling. Cloud-native leans toward heavier use of Serverless technology, e.g. native services managed by Cloud Service Provider [CSP], such as Platform as a Service [PaaS] and Software as a Service [SaaS]) which requires the use of more purpose-built techniques and tooling to establish an effective governance framework.
With CloudForte™ for Azure, we created accelerators to help our clients enforce the level of cloud governance that best aligns to their security and financial policies. This is accomplished using enhanced native cloud services. Azure Policy, Security Center, Log Analytics and Automation services are enriched with innovative, prebuilt configuration templates and smart automation developed by Unisys, leveraging Azure SDK, Azure APIs, and Azure Functions.
We translate clients’ governance policies and operational requirements into automation scripts and establish a CloudForte Landing Zone. This zone is a set of prebuilt ARM templates and Azure policy definitions designed to better align customer subscriptions with requirements. The CloudForte Landing Zone creates a safety bubble around the subscription—preventing and auto-correcting mistakes, such as open ports or unprotected blob storage, while still allowing for speed and governed self-service.
Security is all about staying ahead of adversaries. Our approach provides proactive governance and prevents non-compliant resources from being created. We provide automated remediation using a combination of the CloudForte ARM Template processor as well as Azure Policy and Automation services. As we utilize the security innovations of the native Azure services, we harness the power of our Cloud Center of Excellence (CCoE), stocked with hundreds of Microsoft certified professionals focused on continually enhancing our governance services and capabilities. Our experts continuously work with Microsoft to add new capabilities as they become available, including the Management Groups and Azure Blueprints capabilities that were just recently announced at the 2019 Microsoft Ignite | The Tour for Government.
As part CloudForte’s Accelerate and Transform Migration services, we help our clients better understand migration costs—specifically, how operations costs will change and how to determine the expected return on the migration investment. Also, if the client is able to collect existing fine-grain workload cost data prior to migration, we can utilize that raw data to perform comparative analyses so that costs are compared both before and after migration. These data-driven analyses help clients to more accurately forecast anticipated savings and comprehend the total cost of ownership. A direct result of this knowledge is building a more aligned business case for migration.
Cloud can be expensive if it is not used in the right way. Despite all of the benefits of speed and self-service, costs can quickly get out of control. There are a few common influencers, including underestimating the cost of resources and over-provisioning and failure to implement scheduled shutdowns and abandoned workloads. To help mitigate these risks, CloudForte’s Lifecycle Manager provides financial guardrails for customer workloads. This is especially important for initial adoption and development workloads.
CloudForte’s Lifecycle Manager leverages flexible management policies, enabling clients to set up budgets and time limits around workloads at the time of deployment while performing a variety of actions—anything from simple auditing and alerts to automated shutdowns and de-provisioning.
CloudForte also allows access to the new Azure services on day zero—and without any third-party licensing costs. It uses native APIs to read consumption data directly from Azure and does not depend on any third-party vendors. For clients, this results in open and at-pace integration with financial governance immediately upon service announcement.
Most federal agencies depend on third-party resellers to provide cloud services via Contract Line Item Numbers (CLINs). This approach provides contracting officers with an understanding of billing per CLIN but becomes challenging when trying to reconcile that bill against actual usage data. CloudForte solves this issue by offering access to enriched, line item billing data down to the Azure Offer Rate Card (SKU) and customer CLIN. Coupled with CloudForte’s Lifecycle Manager to manage budget and alerts on actual and forecasted billing data, CloudForte establishes fidelity to the raw billing and usage data and helps clients to manage funding obligation levels in real-time.
Successful digital transformation is a direct result of the ability to securely modernize IT service delivery while staying on pace with ever-evolving mission objectives. Like never before, clients need access to innovative, next generational tools that will continuously satisfy regulations and re-enforce governance postures while also reducing the time-to-market for mission-critical IT services. Through Unisys CloudForte, we provide clients with integrated guardrails designed to guide them on a successful path to secure, and cost-effective cloud solutions.