An organization might adopt a multi-cloud strategy to leverage the unique capabilities of different cloud providers and avoid vendor lock-in. According to Gartner, 81% of respondents in a recent survey were using two or more cloud providers. Containerizing applications using technologies like Kubernetes provides the flexibility to run applications everywhere.
While a multi-cloud strategy can have flexibility benefits, you cannot ignore the extra operational overheads. Cloud providers prioritize developing tools for their own systems, not for cross-cloud scenarios. For example, Amazon Web Services (AWS) CloudFormation is an infrastructure as code (IaC) service that can provision AWS resources; Microsoft Azure developed Azure Resource Manager (ARM) templates for the same purpose. Learning and maintaining separate templates is time-consuming, which is where third-party tools, like HashiCorp Terraform, fill the gap by helping to automate IaC on any cloud.
Moving beyond infrastructure deployment, third-party tools are now offering solutions that combine crucial cloud management features like security, cost, governance, and compliance. These tools overcome the difficulty in maintaining oversight of multi-cloud operations and enable central IT organizations to manage their multi-cloud services and resources from a single management platform. In this article, we will review the desired functionalities of multi-cloud management platforms.
Summary of key multi-cloud management functionalities
To maintain oversight of a multi-cloud operation, we require the following functionalities from the management platform:
| Functionality | Description |
|---|---|
| Multi-cloud support | Support for major cloud providers like AWS, Azure, and GCP, extendable to other cloud providers like Oracle cloud |
| Private cloud support | VMware Private Cloud offers a service enabling organizations to simply pool all their servers into a single resource |
| Governance management |
|
| Security posture management |
|
| Cost management |
|
| Compliance management |
|
Governance management
Cloud governance is the set of rules and policies adopted by your organization to enhance security, mitigate and manage risk, and ensure smooth cloud operations.
Your organization’s various cloud accounts will need to be onboarded to the multi-cloud management platform. The documentation should be clear on what permissions are required by the platform to enable onboarding. Depending on the functionality that you require from the multi-cloud management platform, you may grant both read and write access to your cloud accounts.
To successfully manage the governance of multiple cloud accounts, your management platform needs to provide a holistic summary. The image below is an example of a Cloud Account Governance Summary that shows the account information from AWS, Azure, GCP, VMware, and Oracle Cloud. For each account, a row displays pertinent information, like whether the account is active and who created it.
A cloud account governance overview
A traffic light governance dashboard, as shown in the image below, can help you quickly focus on accounts that require intervention. Each row represents a cloud account with key governance pillars as columns and the latest status color-coded.
A traffic light dashboard for different governance pillars
Security posture management
Managing the security posture of even a single cloud account can be a daunting task. If you are pursuing a multi-cloud strategy, then it is critical to have a management platform that provides information about threats and vulnerabilities from all your accounts in one location.
Typically, the multi-cloud management platform will aggregate security alerts and threats from the cloud providers’ native services. Any policy violations identified will be flagged, which will help your organization identify where industry or organizational best practices are not being followed, enabling your organization to level up its security posture.
Threats, vulnerabilities, and policy violations (guardrails) summarized from multiple cloud accounts across different cloud providers
A vulnerability trend graph providing an overview of your vulnerability posture
A multi-cloud management platform should be able to assess your resources for common vulnerabilities and detect security threats. A suitable management platform will help your organization iterate through the security and operations lifecycle stages of security, compliance, and operations.
The three stages of the security and operations lifecycle
In the security phase, resources that have security violations are identified. For example, a cloud storage account may permit public access due to a poorly configured policy. The management platform may include audit policies to detect:
- User accounts that do not have multi-factor authentication (MFA) enabled
- Whether custom policies are being used rather than built-in policies
The management platform will help your organization align with compliance standards during the compliance stage, while it will perform real-time threat and vulnerability analysis at the operations stage. It may be able to remediate security anomalies automatically—for example, by blocking a specific IP address that is accessing a resource at an anomalous time—or provide recommendations to improve your security posture. This should lead your organization to revisit aspects of your cloud security and governance.
Resources that are impacted by a security threat; for example, unauthorized accesses may have been detected
A multi-cloud management platform can help your organization develop a culture of continuous improvement by providing actionable insights and highlighting where improvements have been made with vulnerability trend graphs. Being able to measure and track the vulnerabilities addressed demonstrates the value derived from the management platform.
A vulnerability trend graph for the last six months, which can be used to measure the impact of your security interventions
Cost management
Keeping up to date and in control of your cloud spending is crucial to avoid cloud “bill shock.” Modern multi-cloud management platforms will summarize your costs across all your cloud accounts and provide insights to help you reduce unnecessary costs caused by idle resources.
A cost summary across multiple cloud accounts
You could trigger a cost alert based on simply exceeding a budget threshold, but more sophisticated platforms can analyze your historical spending and use machine learning and AI to detect anomalous jumps or drifts in spending. If an anomaly is detected, this can trigger an alert via an email or automated action to resolve the cost anomaly. For example, if it triggered an alert, then it could run a webhook that addresses the issue.
A cost trend with anomalies detected
An example of a cost anomaly email sent due to a cost threshold being crossed
If your organization makes extensive use of virtual machines, reserved instances can offer significant cost savings over on-demand pricing. In exchange for committing to a certain level of usage, the cloud providers offer significant discounts: up to 72% on AWS. Keeping track of your actual vs. committed utilization is critical to ensure that your organization is benefiting from its committed spend. In the image below the utilization of the reserved instances is shown and the utilization column indicates that these instances are well utilized.
The image shows the utilization of reserved instances
For on-demand resources, some management platforms can provide schedule recommendations. For example, some of your teams may inadvertently leave VMs running overnight, but a usage report may show that there is consistently no activity on the VM between [00:00] and [05:00] UTC. The image below shows an example of resources that the management platform recommends turning off during certain times because they are not being used but are still being paid for.
A summary of resources being underutilized during certain periods
Tagging your resources consistently across your cloud accounts is fundamental to successful integration with any management platform. By tagging your resources with key:value pairs that identify the environment, application, and department, you will derive insights faster and be able to take remedial action more confidently. For example, acting on a cost alert from a resource tagged as environment:development is likely to have less severe consequences than if the resource tag was environment: production.
A management platform should support your custom tags and also enable you to enforce and apply mandatory tag keys. A tag governance dashboard, as shown below, will help your organization identify gaps in your resource tagging coverage.
An example of tag governance
Compliance management
Knowing that your cloud accounts are compliant with recognized standards is reassuring, and for some organizations, this may be a mandatory requirement. The latest multi-cloud management platforms will assess the security of your cloud infrastructure by aggregating assessments from the cloud provider’s native tools or third-party assessment tools. They can display the results in an intuitive dashboard that provides a snapshot of your organization’s compliance posture.
If your organization is targeting a specific compliance standard, then you should check whether the management platform supports it and also whether it keeps pace with changing standards.
If your organization is beginning its cloud deployment journey, then support for the cloud provider’s best practices—like Amazon Web Services Well-Architected Framework, Azure Well-Architected Framework, and Google Cloud Adoption Framework—will help develop a culture of continuous compliance benchmarking.
A compliance posture dashboard
|
Platform
|
Provisioning Automation |
Security Management |
Cost Management |
Regulatory Compliance |
Powered by Artificial Intelligence |
Native Hybrid Cloud Support
|
|---|---|---|---|---|---|---|
|
Azure Native Tools |
✔
|
✔
|
✔
|
|
|
|
|
CoreStack
|
✔
|
✔
|
✔
|
✔
|
✔
|
✔
|
Summary of key multi-cloud management concepts
Consider a multi-cloud management platform if your organization adopts or is adopting a multi-cloud strategy. The management platform will help you maintain oversight across your different cloud accounts and providers. The platform should cover the key governance pillars of security, compliance, operations, and cost. By aggregating data from the cloud provider’s native tools, you can be confident that the management platform is providing an accurate overview of the state of your multi-cloud environment.
Ultimately, the multi-cloud management platform should help your organization foster a culture of continuous improvement and maintain a history so that you can review your improvements.
