The question this week in the Cloud Clinic is a very interesting one and one that I see a lot of companies are struggling with and suffering the consequences of not managing optimally!

Too many people have too much access to production, and now our security team is saying this is not compliant and it has to change! In fact, this question is such a doozie that first we will answer – “why is it such a problem if too many people have too much access”. I mean of course other than it not being considered compliant. What problems emanate from incorrect access?

Next week we will delve into how to approach a sounder access control – so don’t for get to join us for that!

Read on below and find out in this week’s episode!

Establishing and monitoring access to different environments (part 1)

Please enjoy this episode on YouTube:

[https://www.youtube.com/watch?v=KmmHrNNZdEw]

Here is the episode on Microsoft Learn:

[https://learn.microsoft.com/en-us/shows/azure-enablement/the-cloud-clinic-establishing-and-monitoring-access-to-different-environments-part-1]

What happens when you grant too much access?

• You might need to live up to a certain security and compliance standard, because your customers require it. This means you can lose customers or fail to gain new ones if your business is not living up to your customers’ requirements. Sort if a consequence by proxy. This can really hurt in the wallet area.
• If a person has the wrong access, mistakes can occur. It is like inviting the inevitable opportunity for human error. It is also very disrespectful to your employees to put them in the position where they can make bad mistakes, if that situation can be technically avoided, or at least very much mitigated!
• When you have too much access, you also tend to become careless with such things as leaving test resources around. Because it seems to you that does not really matter, right? You can create those resources, so why not just leave them lying around. Again, this is a slippery and costly slope. There is power in the psychology of “running a tight ship”. When employees feel empowered and like things they do matter and are important, they will behave more responsibly too!
  

How do companies get into this position?

Use automation to change testing and production environments-never grant individual access

Technically humans “never” have access to production! Only automation may touch production! When that does not fully fill the need, and a human does need to “enter production”, they should be granted minimal access, just-in-time to do the task, and that access should be automatically revoked again.

For development and sometimes test environments, it is more okay to grant more access to “people”. DO still consider granting appropriate access levels. For example – everyone can have Read access. The web developers are “Contributors” on the web resources, but not the databases. The database maintainers have Contributor access to the databases, but not the web apps. I realize I am oversimplifying here, but you get the drift. Consider gravitating to security groups with appropriate access control, rather than lazily granting everyone on the team “all the access”. You’ll thank me later.

Privileged Identity Management (PIM) is a huge area of focus which is wonderful to work with once you have set it up. Reality is that it can be tricky to set it up. The rewards are worth it though. What you get is the situation where your team members are eligible for access, but they don’t have access all the time. When they need access, they can activate their access and make the changes they need to make. Apart from this being very secure and compliant – which is an awesome bonus, the main benefit here is that people who need to activate access to environments to make changes, tend to think more about why they are doing what they are doing, rather than “just doing it”. Word of caution though – the proverbial thumb screws of being required to activate access every time you make a change can become quite annoying. You should use PIM only where you need it the most. For example, in production and test environments that you want to limit “fiddling” in.

Also have a watch at the next episode that talks about what to do to avoid the problems described in this episode: Establishing and monitoring access to different environments (part 2 of 2).

References:

• Implement role-based access control in applications
• What is Privileged Identity Management?

Slowly but surely your monthly Cloud bill is climbing. If the increase is releated to more customers and more business opportunity with a good ROI, that’s great! Congratulations! However, what if it is related to an untidy state of affairs in your cloud house, and unused, unoptimised cloud resources is wasting company money? Well, that’s very bad! How can you tell the difference?

Read on below and find out in this week’s episode!

We are in the Cloud spending money; how do we know we are getting business value from what we are paying for?

Please enjoy this episode on YouTube:

[https://www.youtube.com/watch?v=LB4XAKIh2eQ]

Here is the episode on Microsoft Learn:

[https://learn.microsoft.com/en-us/shows/azure-enablement/the-cloud-clinic-making-sure-youre-getting-full-value-from-your-cloud-spend]

Are you sure you are spending on the right things?

As noted in the intro you MUST know, when you are spending a significant amount of company money on running resources in the cloud, that you are spending the money in the right places! Technically that means you need to add cost management tags to your resources, but that part is just mechanics, and as such it is not very interesting.

What is more important is that you understand in the business what you are willing to spend money on in the cloud! Here is where an experienced technical cloud person will come in handy. This person needs to be a universal translator between businesspeople (normal people, or muggles – as in non-magical/non-technical folks) and tech people (wizards or geeks).

Find out what the business needs, and then make sure you are using the right and appropriate cloud resources for the job! Re-examining your Azure spend on a routine basis helps to ensure that you’re spending wisely. Next…

Find out how to technically measure the right things from the Cloud resources

All cloud resources that cost money for your company can have their performance metrics and cost data collected. Are you using the right resources, but also, are you using them appropriately? Obvious issues such as incorrectly sized machines or incorrectly scaled clusters can spend a lot of money and provide very little value.

Consider using Cloud native tooling to collect the right cost data

In Azure I would personally recommend Azure Monitor. It is a unified and comprehensive monitoring solution for your cloud and on-premises environments. But, hey! If you want to use another tool, knock yourself out! All cost data collected in Azure is Your Data! If you want to take that data and export it to any other analysis service, you are completely free to do so! There is great advantage in using the native tooling of your cloud provider because it is both purpose-built and fully integrated into the offering. This is, again in my opinion, perhaps not the first place where you want to get “creative” or “exotic” in your tool choices.

If your company is not yet well versed in Azure Monitor, this is probably one of the best pieces of advice you can get on your road to the cloud: Invest in your whole team, certainly technical staff, but also business people, and financial operations, to learn what Azure Monitor can do for you!

Make available to business owners a live dashboard of real valuable cost data!

You have business running in the cloud. You have resources deployed. You have tagged them appropriately. The consumption is incurring cost. You collect both performance data and cost data. OK, so far so good!

One critical piece remains – to use the data to perform intelligent analysis and investigate the cost. You need to set up an empowering, live, and useful dashboard that shows what is going on with cost over time! For example, using Azure Dashboards for the more technical and project managers, and using PowerBI for businesspeople. Get started by skilling your technical team then creating a performance dashboard!

Good luck on your path to true wisdom in cloud spend!

The Cloud Clinic is a series on the #AzureEnablementShow where we focus on answering caller questions about using Azure Cloud. It is difficult to start out right, and it is difficult to stay on an optimal path in the cloud journey. "I thought the cloud would be better than this, but I have some questions!" This is the show where you can have Your question answered! Please reach out to me on social channels, or comment here, or on YouTube, and we might be answering Your Cloud Clinic Question next!

In this episode our caller has the question how do we go about...

Verifying the implementation of your cloud strategy

There exists a "divide" between business strategists and technical implementers - that has always been so. A Cloud (first) Strategy has been established in the company. Now it needs to be verified that the technical implementation is indeed following through, aligning to said strategy. Unfortunately, I have seen time and again that companies have a strategy for cloud but actual cloud they are building is technically something different.

Please enjoy this episode on YouTube:

[https://www.youtube.com/watch?v=vRa6ueIYqp0]

Here is the episode on Microsoft Learn:

[https://learn.microsoft.com/shows/azure-enablement/the-cloud-clinic-verifying-the-implementation-of-your-cloud-strategy]

A good Cloud Strategy follows a set of prioritised motivations and guide the direction of the technical implementation!

How do you then verify that the technical cloud is staying on the strategic path? There are, simply put, two things you need to do to ensure you follow the intended. Clear company communications and some technical data gathering and dashboards.

Everybody can see the goal!

First you ensure there is a clear strategy written down, AND that then you make abundantly certain that this strategy is CLEARLY COMMUNICATED to the entire company! When (not "if") the cloud strategy needs to change, the change is documented and again (very important especially for changes) communicated to the company!

Why would a Cloud Strategy need to change?

There are multiple reasons for that, but common ones include, "we now know more about cloud tech than we did when we started, and there is reason for us to revisit the initial strategy", and "our customer is requiring a certain compliancy level, and that was not the highest priority before". To be on a cloud journey, as a company, and realize you must change your strategic approach takes courage, conviction, and communication!

Technical details for aligning cloud tech with business strategy

Second, based on the goals of the cloud strategy, you find a set of technical metrics that measure the intended strategy. It could be cost metrics, it could be business metrics - number of new users etc., or it could be user satisfaction metrics. The critical factor here is that the metric itself is of VALUE TO THE BUSINESS. You set up monitoring to capture the data for these metrics, then you create a dashboard that you can make available to the less technical business stakeholders. Good technology options here are Azure Monitor for data collection and then integrate the data with Power BI.

Good luck following your strategic path to a fruitful technical existence in the cloud!

Happy to announce my session at Azure Lowlands 2023: Turning Azure Platform Recommendations into Gold.

My session:

[https://www.azurelowlands.com/speakers/]

The Cloud Platforms offer a lot in terms of help to self-help for optimisation and cost reduction. However, I see daily how companies under-value this guidance and do not act on recommendations. This is a huge waste which, if refined, may be turned into pure gold!

See you at my session at Azure Lowlands, June29th in Utrecht, The Netherlands!

[https://www.azurelowlands.com/]

Happy to announce my session at DevSum 2023: Four pre-flight checks for Azure Cloud. It is a session about all the things that matter getting ready for the cloud journey that are just next to technology!

[https://www.devsum.se/speakers/magnus-martensson]

Remember Technology may be complicated, but is commonly straight forward. People however are NEVER straight forward! This is a VERY important conversation to have about the world we live in as technologist enthusiastic about Cloud!

See you at my session at DevSum, May 25-26 in Stockholm!