Managing Compliance in Multi Cloud Environment

Cloud Computing provides the agility and �exibility for IT Departments to deliver what the business needs. �e Cloud enables them to provision resources on demand and the pricing is based on the utilization instead of contractual model. While it gives the �exibility, it breaks the planning and approval process that used to happen in the traditional world so it gives rise to Compliance issues in multiple areas leading to Shadow IT, Budget Overrun, Security issues etc.

Organizations are moving towards leveraging their existing infrastructure investments and various distinguished services o�ered by di�erent Cloud Service Providers, so Hybrid or Multi Cloud adoption is on the rise. Multi Cloud is e�cient only when it is properly planned, e�ectively consumed and continuously optimized. Managing compliance through policies becomes very important to ensure the Multi Cloud Journey is moving in the right direction.

With Multi Cloud Platforms & Services, the industry is moving from permission (approval) driven approach to “policy based restriction and remediation” to manage Compliance of Multi Cloud Resources or Services. Organizations need to have pre-de�ned policies for consumption, security, budget which need to be automatically validated or enforced.

Executive Summary

Organizations have to de�ne standards not only for their business processes, but also for the con-sumption of Cloud services and resources. With Cloud’s shared responsibility model, “securing data on cloud resources”, “optimizing resource utilization & cost”, “choosing the right con�guration for services and resources” etc., comes under the ownership of cloud consumers for both private and public cloud platforms.

It becomes essential to manage compliance for all cloud platforms, services and resources to meet the expected compliance standards. One of the ways to manage Multi Cloud Compliance is to have a Policies under various groups and ability to track them continuously.

Managing Multi Cloud Compliance

www.corestack.io 1 of 6

Policies are nothing but the rules or standards de�ned at the Organization level to maintain IT standards while consuming resources dynamically from Cloud providers. Policies help IT comply with the rules & bene�ts de�ned at the Organization level. Policy enforcement typically include Access, Security, Quota, Budget, Regulations, Utilization, Optimization, etc. �e indicative list of Organization Policies along with its groups are given in the below table

www.corestack.io 2 of 6

Policy Description Example

Policies to control access to platforms, services and resources. It enforces “who can access what” and “when to grant/revoke access”.

Service Access Policy

Region Access PolicyImage Access PolicyIAM Access Policy,etc.

Access Policy

Policies to enforce security checks on resources and cloud accounts. Security Findings reported by “AWS Inspector”, “Azure Security Center” and “Qualys” also come under this classi�cation.

SSL Expiry Policy

Aged Password Policy etc.

Security Policy by�nding EncryptionPolicy, etc.

Inactive User Policy

Security Policy

Utilization

Policy

Policies to check the utilization ofresources and identify unused ones which can be terminated or deleted. Snapshots or backups can be taken before deletion. Highly utilized resources also come under this classi�cation as to track the utilization vs allocated resource con�guration

Inactive VM Policy

Aged Unused ElasticIP Policy

Aged SnapshotPolicy

Disassociated Volumes/Disks Policy, etc.

Quota allocated vsused policy

Capacity Policy Policies to check the capacity allocation vs used for services and accounts. Health check for di�erent private cloud components come under this classi�cation.

Storage �resholdPolicy in OpenStackSwi�

Health Check Policy etc.

Policies to keep track of the cost ofresources. It can be overlapping with the Utilization Policy but focusses only on cost.

Budget Allocated vsUsed Policy

Short Lived VM Policy etc.

Cost Policy

Long Running VMPolicy

Aged Stopped VMPolicy

Storage DataRedundancy Policyetc.

Policies need to be agile, e�cient and con�gurable in nature to adhere to dynamic business processes and impose restrictions & standards quickly across multiple cloud platforms and services.

Policy Enforcements

Policies can be classi�ed into 3 types and as follows

Prevention: Prevent violations before they can happen. It requires intelligence to monitor and restrict an action before they are executed

Detection:Detect and report if a violation has happened.

Correction: It can be considered as an immediate step a�er “Detection Policy”. Remediation policies that are enforced manually or automatically.

It becomes essential for Organization to have a centralized Policy manager to maintain Organization level compliance across Hybrid or Multi cloud platforms and services.

www.corestack.io 3 of 6

Policy

AWS

Azure

Google Compute

OpenStack

CloudStack

VMWare

Others

Prevention

DetectionCorrection

Following explains the need for Centralized

policy management in multi cloud

Need for Policy Management in

Multi Cloud Environment

Eliminating Shadow IT

Maintaining Service entitlements for

Organization users (De�ning access for

various Cloud services and Tools consumed

by User)

Managing Organization level Compliance for

security and regulations

Manage Budget for various departments

within the Organization across multiple cloud

accounts

Optimize Cloud Spend by de�ning Quota, Utilization and termination policies across Cloud

Challenges in managing Policies

in Multi Cloud Environment

�e policy management features o�ered by the Service providers and Platform are limited to managing policies within that platform or services

Policy Management features available in the market do not provide a 360 degree view of managing policies for all areas such as Access, Security, Quota, Budget, Regulations, Utilization, Optimization, etc.

�e number of Cloud Services (IaaS, PaaS and SaaS) and Tools consumed by the Organization are increasing while Policy support available are not dynamic enough to support policies for various services and tools consumed.

Policy support available are not declarative enough to build new policies easily by the IT teams

Policy implementation is di�erent for di�erent platforms or services.

Multi Cloud Policy Management by CoreStack

CoreStack Policy Management aims to provide centralized policy management across multi cloud services with “detailed recommendations”, “Compliance Dashboard” and “auto remediation capabilities”. It is built based on extensible plugin based architecture to support additional services and tools.

CoreStack Policy Engine allows IT team to use declarative language to build policies to describe business logic. �e declarative Policies are allowed to be scheduled or executed on demand. �e engine sends notify on any violation or remediates the violation through the auto-remediation process. �e policies are exposed which can be consumed by other processes to check the policy before execution which prevent the policy violation.

www.corestack.io 4 of 6

Remediation?

Corestack Policy module comprises of the following components:

Policy Catalog: It is a repository of declarative Policies along with their corresponding metadata and Services it supports. �e Policy manager service provides option to search and �lter based on the metadata de�ned.

Policy Language: Policy language is powered by Datalog, declarative logic programming language with schema driven service discovery for getting resource state.

Policy Scheduler: �e Scheduler allows to schedule policies listed in the catalog for required frequency.

Service Entitlements: It allows to manage various Services used in an Organization along with its endpoints and respective access control.

Noti�cation: Noti�cation Handler in the Policy engine allows to notify the user in multiple ways. �e noti�cation can be through email alert or ticket creation or initiating a Webhook.

Remediation: �e policy engine allows to create an alarm for violation. �e alarm can in turn execute a prede�ned remediation action using template or script to correct violation.

Compliance Dashboard: Compliances are managed for various services using System de�ned Global policies or user de�ned policies. CoreStack uses policies to aggregate data from multiple sources, assess the data and project metrics in uni�ed compliance dashboard. �e compliance dashboard screenshot shows metrics across Cloud platforms, Recommenda-tion, Severity, Policy Type, Budget Allocation etc.

www.corestack.io 5 of 6

PolicyScheduler

Post Actions /Web hooks

Notification

ComplianceDashboard

PolicyCatalog

Remediation

CORESTACKPOLICY ENGINE

Policy Language

AccessPolicy

SecurityPolicy

CostPolicy

CapacityPolicy

UtilizationPolicy

Summary

Policies are not limited to managing Role based access control. �e need for Policy

management in Cloud is much stronger compared to traditional IT needs as it provides the

agility and �exibility.

With the need to “implement agile business processes using Multiple Cloud Services” the

compliance is becoming a challenge. System with reliable and extensible policy management

should be the choice for Organization adopting to Cloud Services, as we all know Prevention

and detection is always better than reactive actions.

CloudEnablers pioneers next generation orchestration solutions that accelerates cloud

adoption, optimizes consumption, and enforces governance for business to maximize business

agility and deliver predictable outcomes. Business of all sizes and complexity, from MSPs to

enterprises, rely on CloudEnablers for scalable, fully integrated multi-cloud solutions.

For more information, please visit www.corestack.io

About CloudEnablers

www.corestack.io 6 of 6

Most cloud applications & tools still rely on Role Based Access Control (RBAC) to impose

restrictions on cloud services and resources. �ough RBAC help control the user access

privileges, they are not su�cient enough to guide enterprises to consume cloud an e�cient

manner.