Enterprise cloud service offering: Key challenges and how to mitigate them

The aim of this article is to highlight the key challenges associated with the enterprise cloud service offering and provide tips on how to mitigate them.

What is the enterprise cloud service offering?

Enterprise cloud is a computing model where an enterprise can use virtualised IT resources from a public or private cloud services provider. These resources can include storage, virtual servers, networking, security components, and serverless computing.

In larger enterprises, there are normally cloud centre of excellence teams who can provide the cloud service offering and help onboard different business units to the cloud. They provide different teams with access to the cloud resources, and ensure provisioned workloads meet compliance and security standards. Read next: How to create an Enterprise Architecture function

Outcomes

Below are some of the key outcomes that an enterprise would typically like to achieve from its cloud service offering across different business units.

Key challenges

At the start of an organisation’s cloud adoption journey, there are usually a few teams that will start using it. Managing the cloud is simple as there are only a few accounts and workloads deployed there. However, as cloud usage grows across an enterprise, several key challenges can begin to emerge if they are not tackled as part of the initial landing zone designs.

Single or few accounts used by different business units

While a single account works in the beginning, it is not sustainable as the cloud usage grows across business units and teams.

Complexity in managing common security guardrails as they are applied at individual account level

Initially, it is okay to apply common guardrails at account level, but to ease and simplify management, it is better to apply them at higher levels such organisation units in AWS, management groups in Azure, and folders in GCP.

Workloads deployed in management accounts

This can be a security risk as privileged operations are normally allowed in the management accounts.

Production and non-production environments sharing the same account

Production and non-production workloads have different security profile and needs, hence putting them in the same account could be a security risk.

Several dozen workloads deployed into a single account

This makes management, security, and access control more complex.

Complexity in managing individual users without federated access

Lack of a Single Sign On (SSO) solution means individual users accounts must be created and maintained by the cloud team, which is cumbersome, error prone, and non-sustainable in the long-term for larger enterprises.

Manual deployments to production workloads

Whilst this is initially okay for trying out cloud resources and for quick POCs, an organisation needs proper CI/CD processes and tools in place to scale the cloud adoption.

Lack of central security hub

Managing security incidents and having an oversight across dozens or hundreds of accounts can be challenging. It requires a central security hub where security incidents from all accounts can be centrally managed and acted on.

No availability for security hardened common VM templates (a.k.a. machine images)

By reducing variability, we can improve standardisation and implement security best practices.

Lack of traceability for production incidents

Workloads are deployed but there is no properly defined observability (logging, metrics, and alerts). Without these, it is very difficult to resolve production incidents.

Weak security controls and no threat modelling for deployed workloads

Deployed workloads have poor security posture and lack defence in depth controls applied at different levels. These can lead to security incidents and data leaks that could be quite costly and cause significant reputational damage in the long run.

No oversight for cloud costs and difficult to attribute costs to different entities, and workloads

Cloud costs can easily spiral out of control without proper oversight, and it is difficult to track and reduce costs without proper attribution.

Trying to use cloud as a traditional data centre

Cloud offers agility, and a lot of IaaS, PaaS, and SaaS solutions that can be leveraged together in innovative ways to design efficient, cost effective, secure, and scalable solutions. However, using cloud as a traditional data centre results in rigid controls, inefficient use of resources, lack of agility and efficiency, and stifles innovation.

How public cloud helps to manage and govern environments

All ‘Big 3’ public clouds provide capabilities to their customers to help manage, structure, and govern large-scale enterprise environments as their cloud usage grows. Using these management capabilities, an enterprise can structure its cloud resources appropriately to manage complexity and allow cloud usage to scale rapidly across the enterprise.

Some of the benefits of using these governance controls include the ability to quickly scale your workloads by programmatically creating resource containers such as org units/accounts in AWS, folders/projects in GCP, and management groups/subscriptions/resource groups in Azure.

By applying governance policies at higher abstraction levels (org units in AWS, folders in GCP, and management groups in Azure), you can give freedom to teams to build their workload resources whilst staying within the boundaries set by policies at a higher level. For example, you can set policies to control which cloud regions could be used to provision company’s cloud resource and place restrictions to avoid someone accidentally switching off audit logs or security components.

You can centrally enforce your recommended backup, configuration, and security requirements by enforcing them at the higher level in the resource hierarchy (as mentioned above). This allows you to centrally secure and audit your environments.

Permissions management and access control can be simplified by applying policies at the right level in the resource hierarchy.

Amazon Web Services (AWS)

AWS uses concepts of organisation units and accounts to structure and manage an organisation’s teams, projects, and cloud resources:

• Organisation: Root of the hierarchy is organisation / company.

• Organisation Units (OU): OU in AWS can be used to create a hierarchy of business divisions, teams, and different product lines. Different policies can be applied at these levels.

• Accounts: Accounts are the containers for all cloud resources. E.g., A Product 1 (OU) can contain three accounts, and each account can contain environment-specific resources.

Microsoft Azure

Azure uses concepts of management groups, subscriptions, and resource groups to structure and manage an organisation’s teams, projects, and cloud resources:

• Organisation: Root of the hierarchy is organisation / company.

• Management groups: These could be used to create a hierarchy of business divisions, teams, and different product lines. Different policies can be applied at these levels.

Resource groups: These are the containers for all cloud resources. E.g., A Product 1 (management group) can contain three subscriptions, and each subscription can contain environment specific resources.

Google Cloud Platform (GCP)

GCP uses concepts of organisation, folders, and projects to structure and manage an organisation’s teams, projects, and cloud resources:

• Organisation: Root of the hierarchy is organisation / company.

• Folders: Folders in GCP can be used to create a hierarchy of business divisions, teams, and different product lines. Different policies can be applied at these levels.

• Projects: Projects are the containers for all cloud resources. E.g., A product 1 (folder) can contain three projects, and each project can contain environment specific resources.

Design principles for enterprise cloud service offering

Along with the governance options available in the public clouds noted above, we have successfully used the below design principles to tackle the challenges that arise from the enterprise cloud service offering when using cloud at scale within large enterprises.

Enterprise cloud service offering

Security

Cost optimisation

Observability

Performance efficiency / innovate with cloud-native solutions

In a nutshell

By improving the enterprise cloud service offering governance and structure and adopting the above design principles, an enterprise can truly reap the benefits of the cloud while avoiding some of the challenges that are highlighted in this article. If you would like us to provide design critique for your enterprise cloud service offering or need help with optimising and improving it to meet business needs, please get in touch.