Governance as Code: Keeping Pace with the Rate of Change in the Cloud

By Lenildo Morais, Project Manager  |  February 26, 2019

In my two-plus decades as a technologist, I’ve remained focused on solving the challenges of complexity. How do you collapse complexity, even as it’s increasing with every day, month, year? This is true across all of IT, but particularly with respect to the cloud. The last decade has spawned fantastic innovation in the cloud, but also complexity like we’ve never experienced. This rapid pace of change—and growing complexity of decentralized implementation—have the potential to slow our adoption of the cloud, and with it, impair our ability to realize cloud’s promise to deliver superior agility and innovation to businesses.

Simply Put: The rate of change in the cloud has surpassed the capability of humans to keep pace. So, has “digital transformation” evolved from an amorphous buzzword into a force of nature that’s truly bested us? Have the machines won? Should we all just call it quits? At least for the cloud, the answer is “no” and governance as code is the reason why.

Why Humans Can no Longer Keep up

The management of all business services, applications and infrastructure exists in feedback loops that require constant optimization around cost, availability, performance, security and usage. In the pre-cloud era, these feedback loops were so slow they were often not noticed. But today, the intervals are trending towards real time and testing the limits of our ability to keep pace. In the post-cloud era, it is common to see a three-to-four-order of magnitude increase in the pace of change in equivalent business systems. This rapid acceleration can place IT teams in a reactive, “fire drill” mode that fosters mistakes, makes it hard to drive standardization and best practices, and detracts from the overall success of the business.

Before the cloud, applications and infrastructure were controlled by an IT department through centralized management and governance. With the emergence of cloud, there has been a shift in the ownership model that has turned this tried and true approach on its head. The cloud is being adopted and managed not solely by IT, but throughout the enterprise. It’s not uncommon for a large enterprise to have more than 500 teams building, deploying and managing their own cloud applications and infrastructure.

In this highly decentralized world, manual governance is no longer sufficient; organizations must find automated ways to maintain governance without sacrificing agility. This governance must be based on internal policies, best practices and reference architectures.

In the future, governance as code will be the backbone driving our IT systems and services. It will enable us to deliver consistent, efficient and highly repeating business outcomes at the lowest possible cost, with the maximum availability and security, while also allowing our people to expand into new and higher value-add roles across business.

What is Governance as Code?

If you’re involved with managing applications and infrastructure, chances are you’re already relying on declarative and code-driven management of your deployment and configuration. Frameworks like Terraform, Ansible and Chef have fulfilled the promise of infrastructure as code: the ability to rapidly provision, deploy, and configure resources and systems in the cloud. Infrastructure as code has enabled us to move at cloud-speed, eliminating humans from our provisioning processes.

Unfortunately, once these applications, infrastructure and resources are deployed, we’ve been relying on a combination of people, tools and scripts to keep business running. In many cases, we hope to adhere to standards, implement best practices, maintain security and follow internal policies to ensure we are not taking on any undue risk in our businesses. Too often, we are falling back on our people as a safety net.

Infrastructure as code is what DevOps and TechOps teams do; governance as code is about codifying how applications and infrastructure should run.

Consider a future in which smart software actually understands the business service you are delivering—including the underlying applications and resources interoperating to deliver this service—and is capable of weighing performance, reliability and budgetary need to optimize to meet your business needs. In the event a user did deviate from best practices, systems based on governance as code would make a recommendation and drive the necessary changes to maintain the desired state. Some of these changes may involve interacting with people (e.g., opening ServiceNow (News - Alert) ticket), but increasingly, many will be done automatically.

Governance as code means incredible gains from an efficiency and innovation standpoint. It draws upon principles of machine learning, automation, governance and policy management to remove the legwork from cloud management. In many ways, governance as code will parallel high-frequency trading, which relies on smart business and strategy-aware software and algorithms to achieve outcomes not possible with humans. With governance as code, IT teams can define and automate best practice policies that manage all aspects of services, applications and infrastructure across cost, availability, security, performance and usage.

Putting it Into Practice

While governance as code is all about smart software, executing a successful initiative requires putting an enterprise-wide strategy in place and a substantial cross-organizational investment. Due to the decentralized adoption of the cloud, it is essential that any implementation complements, supports and enhances the adoption and usage of the cloud across the enterprise.

As with all major technology changes, it will require modifications in people, process and technology. Since everyone loves a good list, here are the five steps to follow to implement governance as code:

  1. Get stakeholder buy-inA good governance as code strategy starts by getting cross-organizational commitment to the need for a revised strategy and agreement on the proposed solution.
  2. Gather your experts If you have not invested in building a Cloud Center of Excellence (CCoE), it is imperative to form one now. A successful governance initiative is often driven as an extension of a successful CCoE strategy.
  3. Map out your attack plan Establish a governance strategy and be sure to define and adopt policies with cross-departmental best practices in mind.
  4. Define & automate policies – Capture your best practices, standards, reference architecture and internal constraints from your organization and teams and automate these rules in the policy engine of your choice. Automating makes life easier and is essential to governing at cloud-speed.
  1. Track and trend Integrate the policies with internal incident and ticketing systems, as well as deliver violations, recommendations and reports to stakeholders, teams and departments. Setting metrics for a cloud program isn’t easy, but done right, it gives you a real way to benchmark and measure ROI.

We Need Governance as Code

There has been a disruption in cloud’s complexity core and that disruption needs to take what is done today by people—with their unique intellect and understanding of technical problems—and codify it in terms of rules that policy engines can execute and identify when users deviate from best practices.

Governance as code means up-leveling your approach to IT and declaring the state you want your application and/or infrastructure to operate to via code. One of the best (and, not-so-conveniently, most challenging) realities of cloud computing, is that it’s a relatively new technology that’s been hugely disruptive in a relatively short period. The combination of the rapid pace of change and the highly decentralized adoption of the cloud has brought us to a tipping point. Governance as code taps into collective mindshare from past successes and failures to make it easier for IT teams to maintain speed with control through a sound governance strategy.

We need a fundamentally new approach to managing the cloud that allows decentralized teams to adopt the cloud and run at cloud-speed, while still maintaining the best practices and optimum security/efficiency required by our business. We need governance as code.

Edited by Erik Linask
Get stories like this delivered straight to your inbox. [Free eNews Subscription]