The need for cloud governance has grown more important than ever. As organizations continue to support remote work, many have lost the power to strictly oversee what employees are doing. Last year’s scramble to the cloud because of COVID-19 now is turning into a rush to rein in slackened security, unapproved apps, excessive permissions and unbudgeted spending.

Yet cloud governance gets more complicated when a business uses more than one platform — and many do. Perhaps Sabrinath Rao, vice president head of channel for MontyCloud put it best: “Consistent governance, security and cost management are hard enough to achieve in a single cloud. Doing that across multiple clouds is even harder. Individual cloud providers do not have an incentive to innovate here. Driving granular governance consistently across multiple clouds is a value that partners can offer.”

Indeed, managed service providers, VARs, integrators, consultants and others have a big mission in front of them. That’s to help clients implement technology, processes and people that, together, control activity across clouds. This leads to secured data, regulatory compliance and other uncompromisable outcomes.

Consider Forrester Research’s prediction that the global public cloud infrastructure market will grow 35% this year alone, reaching $120 billion. Enterprises, SMBs, nonprofits and more face an unpleasant cloud reckoning if they don’t put governance in place soon. Now is the time. And as David Greene, chief revenue officer of Fortanix, told Channel Futures, “Customers need the help and direction that channel partners can provide.”

To that point, vendors specializing in cloud governance, and selling through the indirect channel, are doing their part. In recent weeks, CloudSphere, Fortanix and MontyCloud, as just three examples, each released platforms that address cloud governance in different ways. Where they overlap is agreeing on what cloud governance accomplishes: protecting data, ensuring security and providing insight for cost controls. They also concur that these initiatives are especially paramount in a multicloud environment.

In this lightly edited Q&A, Channel Futures talks with the channel leads at each vendor about cloud governance — from what that means and what’s coming in 2021 to challenges partners should anticipate and the pitfalls to skirt. Channel Futures spoke with Keith O’Kelly, regional vice president of sales and channel head at CloudSphere; Fortanix’s Greene; and MontyCloud’s Rao.

Channel Futures: How does your company define cloud governance, and why?

CloudSphere’s Keith O’Kelly

Keith O’Kelly: The cloud provides tremendous agility benefits to organizations, with a vast number of different services available on demand. However, that same agility introduces complexity challenges and significant problems with security. We see cloud governance as the ability to define, implement and enforce processes around how a company will use the cloud.

David Greene: Cloud governance is the process of defining, implementing, and then continuously auditing, a set of policies and controls that define what data can be processed by which cloud services under what conditions. Fundamentally, cloud governance takes the security framework built for stable on-premises data and applications and reimagines it for a constantly changing cloudy world.

Sabrinath Rao: Cloud governance delivers policy-driven controls for secure, efficient and cost-effective consumption of cloud resources. Cloud governance also seeks to deliver both consistency across the organization, and granular variations required to support different consumption patterns within the organization.

CF: In what way or ways does your company approach cloud governance, and why?

KO: Most large organizations are already in more than one public cloud, which adds to the complexity of defining and enforcing policies for cloud use. We approach cloud governance by reducing that complexity with a single policy engine that can provide governance across all major public clouds.

DG: Fortanix thinks that what you really need to worry about is your data — how to make it secure anywhere at any time. Fortanix uses encryption to secure the data itself, keeping it safe no matter where it may land or who …

… may have access to it in the cloud.

SR: MontyCloud approaches cloud governance as a critical building-block practice that helps customers achieve their digital transformation goals. While governance goals may be viewed as business processes that are overheads, we believe well-governed cloud environments drive more innovation, deliver better ROI for the business and help control total cost of cloud operations. … We take an “automation first” approach, but without having to deploying agents, or write and maintain code.

CF: Which aspects of cloud governance will be most critical for MSPs, VARs, integrators and other channel partners to ensure on customers’ behalf in 2021, and why?

KO: It is critical that channel partners help their customers better understand the cloud provider’s shared responsibility security model. The cloud providers have done a lot of work to secure their infrastructure and services, and as a result, analyst firms are saying that over 95% of cloud security breaches in 2021 will be the user’s fault. Channel partners have an opportunity to help educate customers on their responsibilities as part of the shared security model, to help properly define security policies, and to provide tooling and/or managed services to monitor and enforce those policies.

Fortanix’s David Greene

DG: Customers accelerated their move to applications and data to the cloud. But their governance got left behind, and now they’re really exposed. They know they need to catch up, but may not know how to. Partners are in a great position to fill the gap.

SR: The key aspects of cloud governance that are important to MSPs, VARs and integrators are consistency in driving consumption, cost efficiency, access controls and self-service enablement with centrally enforced guardrails. Innovation can only be accelerated, and costs controlled, when cloud governance is automated without being a burden on the end user or the enforcement teams.

CF: What cloud governance trends do you see MSPs, VARs, integrators and other channel partners seriously embracing on behalf of customers in 2021, and why?

KO: Multicloud deployments are here to stay for a variety of reasons, including cost controls and reducing single-vendor dependencies. As a result, we see partners embracing multicloud governance tools in an effort to standardize and simplify cloud policy enforcement.

DG: For most customers, “move to the cloud” will mean a complex, multicloud environment that is constantly changing. No one is using just one cloud. Governance needs to be correspondingly flexible and comprehensive.

MontyCloud’s Sabrinath Rao

SR: Driving down total cost of cloud operations is a key area that partners are seriously embracing on behalf of customers. As customers wind down their on-premises IT environments in favor of the public cloud, many case studies are emerging on unbridled cloud costs and bill shocks. The majority of the tools are focused on parsing bills at a granular resource level, and resource level optimizations. Effective cost management is a combination of granular understanding at the application level and automation.

Another area that partners can play an important role is in governance, compliance and security management. With the cloud, IT personnel have to manage vast API surfaces, newer constructs such as account/region boundaries, as well as security and governance constructs.

Navigating effectively requires experts and automation tools. Partners play an important role in bridging the emerging skills gaps, as both cloud vendors and customers compete for sparse, cloud-savvy people resources.

CF: Which cloud governance trends or best practices are you afraid channel partners are likely to ignore or under-address, and why?

KO: Understanding who has access to critical resources in the cloud is one of those areas of complexity that is really easy to underestimate. Identity and access control on-prem is fairly well understood, and as a result, it is easy for IT teams to think that …

… the same policies will extend into the cloud. The reality is that the combination of multiple access pathways and dynamic services in the cloud makes this a much harder problem to solve.

DG: Many partners have viewed the move to cloud (particularly the big three of AWS, Azure, and GCP) as a threat to their business, and tried to stop or slow it down. Don’t bother. Every customer will have more cloud infrastructure and services than they can manage. And with that comes a new opportunity for channel partners to help customers get their arms around all of this. The channel partners that make themselves a critical part of how customers get value and security from the cloud will be a strategic partner for years to come.

SR: Customers want to innovate faster and want fewer process layers between their development teams and infrastructure teams. Self-service with guardrails is a key enabler of innovation. But this is at odds with traditional business models of centralized IT delivery driven by a ticketing/approval-based approach. Traditionally MSP, VAR and SI partners’ business models are built on provisioning requests, configuration change requests and capex-heavy on-prem infrastructure management. Cloud business is centered on empowering customers to become self-sufficient through automation. Due to this friction, channel partners may inadvertently delay, ignore or under-address the needs of cloud customers, instead of embracing customers’ requirements through new tools and business models.

CF: Why do you think cloud governance stands out as a vital issue in 2021 as compared to previous years?

KO: We saw a large number of high-profile, cloud-related security breaches in 2020 and expect that trend to accelerate in 2021. This will drive more attention to cloud governance over the next year.

DG: 2021 is already looking like a threatening year, and it’s only the second week of January. The global pandemic is keeping workers at home and pushing more work to the cloud. New attacks like SolarWinds remind us that the threats are real and mutating. Legal and regulatory changes continue to raise the stakes when governance fails. In short, you can end up putting more data at higher risk at the same time that risk costs you more. Better to get a governance strategy in place.

SR: In a recent IBM study, 60% of the 380 CIOs and CTOs surveyed said their companies are not ready for IT modernization programs. AWS added $10 billion in run rate in just 12 months. Both these data points taken together suggest that while the pandemic has accelerated cloud adoption, many organizations are unprepared. Much of the uncertainty is centered around people skills, governance policies and driving self-service consumption. All three of them are related and an essential first building block. For 2021 to be the year of the cloud, it is inevitable that 2021 will be the year of cloud governance.

CF: How can MSPs, VARs, integrators and other channel partners best approach cloud governance on their customers’ behalf this year?

KO: We recommend putting a framework in place to get a consistent approach for governance across multicloud deployments. Even if your customers haven’t made huge strides into multicloud yet, they will almost certainly do so in the next 12-18 months, and you want to have a solution in place that can scale with them.

DG: Customers know that cloud governance requires something different from what they have done before, but often don’t know what to do next. Help them. Educate, consult, guide and build confidence for customers so that they can thrive in the new world. The solutions and services engagements will follow.

SR: Cloud economics fundamentally changes business models for all players. Partners need to approach cloud governance as a means to unlocking more business value for customers, which can drive more cloud consumption. For this, partners should consider automating all aspects of cloud governance and move their revenue stream up the value chain rather than cloud governance as the end goal. Cloud application management and service delivery offer …

… areas of adding more value. … This drives more cloud adoption and creates new business opportunities. By shifting monetization aspects beyond basic governance to cloud consumption, partners can drive better value to everyone.

CF: What challenges do you expect channel partners to encounter as they implement or tighten cloud governance for clients, and why?

KO: One key challenge we see both channel partners and end users facing is the staffing and expertise shortage when it comes to security and governance in the cloud. The cloud providers are growing so fast; many good candidates for these jobs are quickly hired by the cloud providers themselves. For organizations that can hire top talent and scale that expertise with automated tools, there is an opportunity to offer security and governance managed services to smaller organizations that can’t easily recruit people with the right skill set.

DG: Be patient. This really is new ground for many customers — technically as they operate in new cloud platforms, and organizationally as teams that don’t normally work together now need to collaborate [on] security, cloud infrastructure, DevOps/applications, even data analytics.

SR: The friction created by changing business models may force some partners to [keep] a tighter grip around cloud governance aspects such as a revenue stream. However, modern DevOps culture doesn’t like such friction and will seek to automate more. This is a fundamental challenge that partners will need to address, without compromising on the goals of governance.

CF: What can you offer channel partners to help them address those challenges?

KO: Pick multicloud-capable tooling to simplify policy enforcement and reduce the reliance on having AWS, Azure and GCP experts available at all times. Automate everything. The complexity of cloud governance is only going to increase as the cloud providers continue to roll out new products and services at such a fast pace. One example would be to add automation to connect governance alerts to trouble ticketing systems to make sure important alerts get the attention they need. Don’t overestimate the ability of on-prem identity and access solutions to scale to the cloud. Make sure you can monitor and enforce access policies for important resources in the cloud.

DG: Get yourself to the cloud. There is no substitute for firsthand insight. Build your own cloud governance practice as a way to see firsthand the challenges your customers face. Expand who you are talking to. This is a great reason to meet with the people who are consuming the cloud service, people you may not normally talk to. Think of application teams, cloud infrastructure teams, data analytics teams, executive — in addition, of course, to the IT and security teams.

Start small. In the urgency to establish governance, many organizations get too ambitious. Where is the most immediate, most threatening gap? Just start there and get that fixed. Show what’s possible, and then take care of the next challenge on the list. Explore new solutions. The technology options around governance are evolving incredibly quickly. Old tech won’t solve new problems. Get smart on what is out there, and what is cloud-ready.

SR: Work closely with the “builders” in the customer teams. You will succeed in helping central IT teams balance their organizations’ governance goals with their users’ needs. Enable self-service with guardrails in place. Automation is your friend. Automate every layer of cloud governance including processes, reporting and remediation. Invest into higher-value services that drive cloud consumption. Align with the cloud providers and shift revenue streams to the opex- and micro-transaction-based model.