Governance

Adopt Cloud Frameworks
Adopt Cloud Frameworks 150 150 CloudGovCo
  • Google Cloud Adoption Framework
    • Themes: Learn, lead, scale, secure
  • Google Site Reliability Engineering
  • AWS Cloud Adoption Framework
    • Business Perspectives: Business, People, Governance
    • Technical Perspectives: Platform, Security, Operations
  • AWS Well Architected Framework
  • CSA Cloud Controls Matrix
Cloud Transition Budget
Cloud Transition Budget 150 150 CloudGovCo

As an organization moves to the cloud, it will need a transition budget separate from any specific projects to deal with the cost of moving.

Back in 2016 the cloud was hyped as a cost savings for IT before it was understood the true value of the cloud is in its agility, elasticity, scalability, resilience and high availability. These enable digital transformation in an organization.

There are still big benefits for IT: no sunk cost in hardware, the capability to automatically scale up or down to match usage, and no maintenance of infrastructure and security.

The overall cost picture will be hard to quantify because the organization will be transitioning from capital costs to operational costs for IT infrastructure.

Even if cloud costs are less, they may well appear to be more expensive in the first few years. There can be be a spike in expenditures because there is a cost in moving to the cloud. This cost can take several forms:

  • Migration activities, rewriting code, etc.
  • Failing to optimise business processes
  • Foundational infrastructure such as high-bandwidth VPNs to the cloud
  • Security infrastructure such as a cloud access security broker (CASB)
  • Inability to downsize servers and personnel on premises as expected

For these reasons an enterprise budget should be established for the moving costs.

Baseline Usage
Baseline Usage 150 150 CloudGovCo

As part of the planning for any project (cloud or on premises), cost estimates for resources must be determined.

Baseline usage of a cloud service should be established over a minimum of 3-6 months to evaluate the consumption of cloud services and make budget predictions. This period can also be used to optimise the cloud infrastructure.

For the cloud, this will establish a budget for the operating impact of the project. In keeping with Showback vs Chargeback the baseline usage for 3-6 months will validate the costing exercise during the planning phase and confirm the budget for the project beyond the 3-6 month period.

IT Chargeback
IT Chargeback 150 150 CloudGovCo

IT chargeback is a standard industry term for a method of recovering costs from internal consumers for the IT services they have used. Instead of bundling all IT costs under the IT department, a chargeback program allocates the various costs of delivering IT (e.g., services, hardware, software, maintenance) to the business units that consume them. There are many models sliced and diced in different ways for chargeback allocation and cost recovery. These can be resolved into the following main models:

  • High-Level Allocation (HLA) – Shared IT or cloud resources are charged back based on division size (e.g., number of FTEs and amount of revenue/budget)
  • Low-Level Allocation (LLA) – Shared IT or cloud resources are charged back based on simple user metrics (e.g., number of FTEs and number of servers allocated to meet service loads)
  • Direct Cost (DC) – Dedicated IT or cloud resources are charged back based on direct ownership of the resources (e.g., SaaS, time- and material-based costing)
  • Measured Resource Usage (MRU) — Shared IT or cloud resources are charged back based on actual measured usage (activity-based costing ) of cloud resources (e.g., bandwidth, storage consumed, data transferred)
  • Tiered Flat Rate (TFR) – Shared IT or cloud resources are charged back based on providing access to a service whether the service is used or not (pricing in tiers or bands)
  • Negotiated Flat Rate (NFR) — Shared IT or cloud resources are charged back based on a negotiated and/or protected usage of a service (e.g., fixed subscription to a corporate service)
  • Service-Based Pricing (SBP) – Shared IT or cloud resources are charged back based on a specific measured unit of service (e.g., number of transactions, number of messages, number of pages, job queue)
IT Showback
IT Showback 150 150 CloudGovCo

IT Showback tracks IT consumption and allocates IT expenses to cost-centres but it does not recover the costs. Showback measures and displays the IT cost breakdown by consumer unit (e.g., departments, functional units, projects), without actually transferring costs back. Costs remain in the IT group, but information is still transparent about consumer utilization.

Showback can be easy to implement since there is no immediate budgetary impact on user groups, but full responsibility rests with the IT group and consumer accountability is lacking.

Estimating Projects
Estimating Projects 150 150 CloudGovCo

There are several ways of estimating projects before work is done:

  • Analogous
  • Parametric
  • Top down
  • Bottom up
  • PERT (Project Evaluation and Review Technique)

A form of PERT is a three-point estimate using expert opinion to derive a weighted estimate. It uses three values for:

  • best case
  • most likely case
  • worst case

Use the attached spreadsheet to calculate a weighted estimate at several confidence levels. A confidence level of 95% is standard for IT projects.

3-PointEstimate

Cloud Computing Risks
Cloud Computing Risks 150 150 CloudGovCo

The cloud has unique risks that are different from on premises. Here is a list to get you started:

  • Account hijacking
  • Advanced persistent threats (APTs)
  • Compliance violations and regulatory actions
  • Consumers have reduced visibility and control
  • Contractual breaches with customers or business partners
  • Cost increases
  • Credentials are stolen
  • CSP supply chain is compromised
  • Data breach requiring disclosure and notification to victims
  • Data deletion is incomplete
  • Denial of Service (DoS) attacks
  • Diminished customer trust
  • Increased complexity strains IT staff
  • Increased customer churn
  • Insecure interfaces and application programming interfaces (APIs)
  • Insiders abuse authorized access
  • Insufficient due diligence increases cybersecurity risk
  • Insufficient identity, credential, and access management
  • Insufficient isolation in a multi-tenant architecture or multi-customer application
  • Loss of control over end user actions
  • Loss or theft of intellectual property
  • Malware infections that unleash a targeted attack
  • On-demand self-service simplifies unauthorized use
  • Revenue losses
  • Separation among multiple tenants fails
  • Stored data is lost
  • Vendor lock-In complicates moving to other CSPs
Credit Card Skimming
Credit Card Skimming 150 150 CloudGovCo

Credit card skimming is the modern version of “taking cash off the top“, a form of fraud. Originally it was done at the point of sale in a store or at an ATM machine.

However, credit cards with chips made physical skimming hard and thieves have found that it is more effective to skim online purchases.

This can be done by injecting Javascript into an e-commerce site or by obtaining your personal data from a data breech. Another method is spoofing, which redirects you to a fraudulent  web site.

Here’s a few things you can do to protect yourself:

  • Don’t give out personal information online (be wary of phishing attacks)
  • Only access web sites that use https
  • Only buy from known stores
  • Use a separate credit card online with a low limit
  • Monitor your credit card bills closely
  • Report any suspicious activity immediately
  • Pay extra attention to online purchases that you’re not sure you remember making
Spam
Spam 150 150 CloudGovCo

The big three email threats are spam, phishing and spoofing.

Spam is an unsolicited bulk e-mail message or any email messages you don’t want or didn’t request. Spam messages are mostly commercial advertising.

There are two types of spam:

  • Intentional spam soliciting for a service or product, or attempting to commit fraud.
  • Unintentional spam originating from a computer infected with a virus or worm that activates an email distribution processes in the background.

Many jurisdictions have regulations governing bulk emails. Mailers are supposed to offer a means to opt out or block repetitive spam. Be careful — often this is a way to collect information about you.

The best practice is simply to tag spam as junk and direct it to your junk folder.

Internet Radicalism
Internet Radicalism 150 150 CloudGovCo

The Internet held the promise that anyone could become a publisher. The dream was this would make more information available and widen discussions to include diverse thoughts that weren’t represented in mainstream media.

Instead it has provided a platform for and amplified the views of extremely disaffected and angry people. These Internet radicals and extremists are a threat when their views are expressed through random or organized violence. They are also a threat to civil order and good government when they poison public discussions.

The Internet is now a fundamentally broken online world. In offline society we had developed civil norms that provided guard rails against the crazies. Online, we have no checks and balances. Anything goes. On social media people can and will say anything, especially racist, misogynistic, and Islamophobic remarks.

Here are just a few examples of how social media results in the normalization of outrageous and dangerous behaviour:

Here are some readings if you would like to learn more:

Wired Magazine has said social media should be regulated:

“By automatically amplifying any and all messages that appear on their platforms and using highly personal data and algorithms to target those messages to where they will have the greatest potency, social networks are weapons. They must be viewed not as an extension of the people who use them but as a danger to the greater society.”

The Guardian writes that social media:

“Altered our way of being in the world such that the news is no longer one aspect of the backdrop to our lives, but the main drama.”

The New York Times says in its Internet Privacy Project:

“The scope and scale of disinformation on social media is beyond the capability of any one person to stem the tide. Citizens, politicians and business leaders are asking if societies are making the wisest tradeoffs in their use of technology.”

Alternet states:

“…Social media platforms like Facebook [and Twitter] do not serve us much better. There are several reasons for this. First, they overwhelmingly expose us to information we already agree with, leading to confirmation bias. Second, much of the information they spread is unreliable (and even propagandistic). Third, social media are designed to elicit emotional rather than rational responses from us.”

 in Salon:

“Human beings should really try to be aware of their information diet and the company they keep because such stimuli are actually changing our brain and cognitive systems in a very real and very physical ways.”

As an individual you can:

  • Restrict your use of social media and its affirmation bias
  • Become more media savvy and analytical about what you read
  • Step out of the social media bubble to get external news
  • Check facts in more than one media, making sure they have independent sources
  • Be more vigilant about social media as a weapon against your group
  • Call out racism, antisemitism, misogyny, Islamophobia