Popular Posts

Tuesday, August 11, 2020

Cloud Governance Concepts

Of all the exciting topics to blog about, today, I choose to focus on the least exciting, but arguably one of the most impactful: Cloud governance. 

Cloud governance is a subset of data governance and while definitions from the major Cloud providers vary, the following 2 themes appear consistently:

  • Cost Governance
  • Data Security

I was fortunate enough to attend the Gartner Catalyst conference in 2019, when attending conferences was still a thing, and one of the themes that resonated with me were sidebar commentary from the analysts about the cost enigma associated with modern Cloud offerings. If memory serves, one of the keynote addresses used a shock tactic statement to grab the audience attention along the lines of: 

"I just received a $10M bill in the mail from AWS, and I have no idea what this is for!"

So, I have not received a $10M bill from anyone, but I did have to deal with an annoying $50 monthly deduction on my Walmart credit card (which I forgot I owned) from one of my AWS tenancies that I use for testing that I also forgot to turn it off. Yes, its my fault. I need to keep track, but it could be worse.

The cloud vendor does not care to remind me. Why would they? I agreed to use a resource and pay for it, by firing up an EC2 instance with some block storage and a load balancer in my non-default region and it is my responsibility to ensure that if it's not being used, then it is turned off. Well, it would be nice if I could be reminded with a monthly email with some note like: “Hey, we noticed you have several resources that have been idling and burning cash, maybe you should consider turning them off or removing them?”, but that’s not going to happen. Lesson learnt. Scale those idle resources by a factor of 100 or a 1000 or 10000, and it stops being annoying…it gets damn serious.

Enter Cost governance or a systematic framework for controlling the costs of your Cloud infrastructure. Cloud computing resources are rentals. You do not own it. You decide when you are done and stop using it and generally speaking, at that point, you stop getting charged for it. One of the major enablers of this problem is the ease of procurement. Anyone with a credit card can sign-up and voila a shadow IT department is created. Over the last 25 years, I’ve consulted and observed in many organizations that not all computing infrastructure is managed by a central IT department. For various reasons, even some legitimate, there often exists one or more departments within organizations that have their own infrastructure. It could be in the organization's official data centers or it could be in the broom closet next to the network patch panel and now it could be in any number of clouds. This last statement should send you screaming for the hills, because your corporate data could be anywhere in the world, out of the purview of your IT security compliance team, possibly jeopardizing SLAs that ensure data residency, data sovereignty, or even worse, not protecting your data assets from the big bad internet because someone decided they knew better or they could not wait for central IT to dedicate cycles to their project or "the business needed the data yesterday!"

So, what can you do about it?

Governance policies to the rescue.

First, and this is serious, it must come from the TOP of the organization that ALL Cloud computing requirements must go through a central place. Non-conformance penalties should be articulated to discourage shadow IT departments, with a clear prohibition message. Even Test/Demo/POC tenancies should be visible, and preferably controlled with oversight by central IT.

Data security breaches are inevitable when private tenancies exist with organizational data outside of the purview of your organization. Would you let an employee/consultant/contractor leave your premises with a data server? An often-overlooked security vector relates to backups. While database-as-a-service instances from Oracle implement in-transit and at rest encryption, you still need policies to protect backups. If you can encrypt backups, that is awesome, but remember to keep encryption keys separate from backups.

Cloud governance policy frameworks sound super boring, but they go a long way in avoiding major cost and security risks, especially if these are adopted upfront. Cloud governance is applicable regardless of the vendor. The main stream vendors offer similar tools and mechanisms to aid with governance but it is still pretty cryptic to figure out how much you owe at any point in time. However, they are getting better at this.

Oracle Cloud Infrastructure (OCI) has a pretty neat infrastructure resource management framework that when planned out properly to match your policies can go a long way to help with your Cloud Governance. It uses a Tenancy (A tenancy is associated with one organization) that comprises logical Compartments to group resources. These Compartments are governed by classical Identity Management principles (Users in Groups with English-like policies that govern how users or groups interact with resources or compartments).

I find it useful to map existing departmental or line-of-business groups that own on-prem infrastructure to compartments as well as to map existing IT infrastructure groups to Cloud infrastructure groups. DBAs or Network Admins working on-prem are doing similar work on Cloud resources. In fact, this may be the opportunity you’ve been waiting for to finally align these teams with the resources they are meant to manage and optimize your infrastructure support teams while securing your infrastructure.

Tags may be applied on each individual OCI resource. These are optional and the most rudimentary tags are simple key-value pairs. OCI upped their game by offering Tag Namespaces, that allow you to use a predefined set of tags like (CreatedBy and CreatedOn) or any set of predefined tags that make sense in your organization. In many of the tenancies that I manage, I have a periodic report of untagged resources that are designated for follow-up and recycling if they do not have identification tags. The tagging framework allows for cost-tracking tags, so I can report by line-of-business or department to cross-charge or track resource costs within the tenancy.

In your Cloud governance policy doc, it is essential to prescribe that all Cloud resources conform to a standardized tagging framework, with a process for handling untagged resources. This approach fosters accountability and efficiency while improving security by preventing rogue resources from being inserted into compartments by bad actors.  Group departmental resources into Compartments. Design the IT department of your dreams conceptually and fit human resources into an optimal cloud identity framework that leverages: Users, Groups and Policies to govern resources within Compartments.

OCI lets you download CSV files with details of your usage, so this can be ingested and analyzed to identify usage and cost patterns. 


Some descriptive analysis is also provided on the console, but as you can see, the aggregated data is not real-time…actually it’s a couple days behind. And these are estimates, not actual costs so there may be some deviations.

There is an API framework available that exposes most services including the Oracle CloudAccount Metering REST API. It has some limitations but could be integrated with the cloud usage CSV report data to analyze this data. 


OCI also allows you to create budgets on a compartment basis or on a cost-tracking tag basis. You can then set alerts for these budgets which notify you when exceeded and allows you to minimize runaway costs.

Armed with a proactive cloud governance policy, and leveraging tooling provided by the cloud vendors, you can ensure that your costs are tracked, you only use the resources you need, and your data is better protected.

So, how many resources are you paying for that you aren't using in your Cloud tenancies and even worse, how many unregulated cloud accounts that contain your organization's data are out there?


Thursday, January 16, 2020

Hot of the press: New OCI Architect Associate All-in-One Exam Guide published!

 





Topics covered include:

Chapter 1: Oracle Cloud Infrastructure Concepts
Chapter 2: OCI Identity and Access Management
Chapter 3: OCI Networking
Chapter 4: Compute Instances
Chapter 5: Storage
Chapter 6: Oracle Database
Chapter 7: Automation Tools
Chapter 8: OCI Best Practice Architectures
Glossary

Friday, August 7, 2015

OCA/OCP Oracle Database 12c All-In-One Exam Guide (Exams 1Z0-061, 1Z0-062, & 1Z0-063)



This Oracle Press certification exam guide prepares you for the new Oracle Database 12c certification track, including the core requirements for OCA and OCP certification.

OCA/OCP Oracle Database 12c All-in-One Exam Guide (Exams 1Z0-061, 1Z0-062, & 1Z0-063) covers all of the exam objectives on the Installation and Administration, SQL Fundamentals, and Advanced Administration exams in detail. Each chapter includes examples, practice questions, Inside the Exam sections highlighting key exam topics, a chapter summary, and a two-minute drill to reinforce essential knowledge. 300+ practice exam questions match the format, topics, and difficulty of the real exam.


Electronic content includes interactive practice exam software with hundreds of questions that include detailed answers and explanations, and a score report performance assessment tool

Ideal as both exam guide and on-the-job reference

The most comprehensive single preparation tool for the Oracle Database 12c OCA and OCP certification exams



Friday, March 28, 2014

OCA Oracle Database 12c SQL Fundamentals I Exam Guide (Exam 1Z0-061)

 



Prepare for the Oracle Certified Associate Oracle Database 12c SQL Fundamentals I exam with this Oracle Press guide. Each chapter features challenging exercises, a certification summary, a two-minute drill, and a self-test to reinforce the topics presented. This authoritative resource helps you pass the exam and also serves as an essential, on-the-job reference. Get complete coverage of all OCA objectives for exam 1Z0-061, including:

Data retrieval using the SQL SELECT statement
Restricting and sorting data
Single-row functions
Using conversion functions and conditional expressions
Reporting aggregated data with the group functions
Displaying data from multiple tables with joins
Using subqueries to solve problems
Using the set operators
Manipulating data with DML statements
Using DDL statements to create and manage tables
Electronic content includes:

150+ practice exam questions with detailed answers and explanations
Score report performance assessment tool
PDF copy of the book

Saturday, August 15, 2009

OCA/OCP Oracle Database 11g All-In-One Exam Guide

 


A Fully Integrated Study System for OCA Exams 1Z0-051 and 1Z0-052, and OCP Exam 1Z0-053

Prepare for the Oracle Certified Associate Administration I and SQL Fundamentals I exams and the Oracle Certified Professional Administration II exam with help from this exclusive Oracle Press guide. In each chapter, you'll find challenging exercises, practice questions, and a two-minute drill to highlight what you've learned. This authoritative guide will help you pass the test and serve as your essential on-the-job reference. Get complete coverage of all objectives for exams 1Z0-051, 1Z0-052, and 1Z0-053, including:

  • Instance management
  • Networking and storage
  • Security
  • SQL
  • Oracle Recovery Manager and Oracle Flashback
  • Oracle Automatic Storage Management
  • Resource manager
  • Oracle Scheduler
  • Automatic workload repository
  • Performance tuning
  • And more

Friday, May 30, 2008

OCA Oracle Database 11g SQL Fundamentals I Exam Guide

 

A Fully Integrated Study System for OCA Exam 1Z0-051


Prepare for the Oracle Certified Associate Oracle Database 11g: SQL Fundamentals I exam with help from this exclusive Oracle Press guide. In each chapter, you'll find challenging exercises, practice questions, a two-minute drill, and a chapter summary to highlight what you've learned. This authoritative guide will help you pass the test and serve as your essential on-the-job reference. Get complete coverage of all OCA objectives for exam 1Z0-051, including:


SQL SELECT statements

Restricting and sorting data

Single-row functions

Conversion functions and conditional expressions

Group functions

Displaying data from multiple tables

Subqueries

Set operators

DML and DDL statements

Schema objects

Cloud Governance Concepts

Of all the exciting topics to blog about, today, I choose to focus on the least exciting, but arguably one of the most impactful: Cloud gove...