Understanding how you can empower people to train and certify to drive the flexibility for access that they’re asking for
One of the common areas that I talk about when speaking to colleagues and partners is around the fine balance that has to be struck between providing flexible access to users, and how this is managed from a governance perspective.
It’s not uncommon that organisations have legacy Information Security positions from their co-lo or on-premises days which of course are difficult to translate into the modern cloud. You’ll not have to go far before you’ll hear a colleague say something like “it takes ages to get an account” or “when I get access, I then have to raise so many other requests for service enablement or privilege management”.
First of all, if you are considering building out your platform but leaving most services disabled until there is a business need, you’ll likely find that this becomes a constraint quite quickly. It’s admirable of course that you want to maintain as small a footprint as possible to reduce the security risk, but this then means that a team cannot start looking at these services and being creative until they’ve gone through a lengthy service review process. Let’s be honest, this is also likely going to be a difficuly journey for them as well.
If it’s a worry about cost, then there are other ways that you can limit or guide here without retaining a firm grip that’s so tight it’s suffocating.
Next, there’s the worry about a ‘free for all’ and people not knowing what they’re doing and the likelihood of data and services being stood up with little to no governance – a security nightmare! Yes, this is possible, but it’s also clear that there are better ways to achieve alignment with the Well-Architected Framework and internal security governance frameworks.
I’m not going to use this post to talk about the benefits of DevSecOps, linting and the power of CI/CD pipelines (I can in another post if you’d like!), but instead want to focus on training.
Let me introduce you to the concept of a Cloud Operators License – or whatever you’d like to call it instead.
You may have picked up from some of the images on my blod so far that I’m a fan of sailing, so it seems fit to start with an anaolgy based around this.
Pedal Boat User
We’ll start with a pedal boat user. The chances are that you’ve probably had the pleasure of driving one yourself, and giving yourself first-degree burns on your butt when sitting on a pedal boat that’s been sat out in the scorching sun all day. There’s no real training required, it’s very easy to operate, and there is limited to no risk of using it because it can’t go very far because they’re often operated in a confined space.
Sailing Yacht Skipper
Next we have our Yacht Skipper. They’ll need to have a qualification and some experience to back that up. The yacht has a limited crew/passenger capacity but it can certainly go a bit further than a pedal boat. With this increased range and capacity comes increased responsiblity for the skipper to make sure they’re sailing when it’s safe to do so, and they’re operating within the limits of their personal capability – no-one wants to risk their crew or need to have the Coastguard come out to rescue them.
Cruise Ship Captain
Finally, we have our Cruise Ship Captain. A person who has significant experience and training with the responsiblity not only for the enourmous vessel but also the crew and 1000s of passengers on-board. The ship has global coverage and a large number of conveniences, services and engineering capabilities to look after.
So, Adam, why are you telling us all this.
Ok, let’s now look at how this can translate into the Cloud.
By linking the level of someone’s certifications to the level of access they have in the cloud, you can provide the flexibility they’re looking for alongside the ability to mitigate many of the risks and concerns that would usually come out of your Information Security team. This doesn’t mean that there’s a free for all as soon as they get their certification, because that training will also educate them about best practice, security, frugality and all the key pillars that lead to a sustainable and secure cloud.
If you’re starting out at the beginning of your journey, you’ll want to start by focussing on providing everyone across your technology function and associated business partners (Finance, Governance etc) with training and awareness of both the Well-Architected Framework but also certify up to practitioner level on your primary cloud. You’ll also carry out a Cloud Skills Assessment on the same audience, but this is outside of the scope of this blog for now.
This will achieve two things; firstly you’ll be opening their eyes to what ‘good’ looks like in the cloud space, and secondly you’re investing in them personally. Many of these teams will not have received targeted and relavent training in some time, so this will earn trust for what you’re looking to achieve.
Clearly, the number of people that are certified to Pro-level in your organisation will be less than the number certified to Practitioner-level, but this should drive an upward trend in the number of people seeking out the ability to cert up.
In the past, I’ve taken this one stage further by creating a series of Lambda functions that allow an external service (such as Service Now) to pass an identity and certification to get a true or false response to determine whether a person holds a qualification. This then means that you can link the ability to vend a certain service catalog item (such as an admin role) with a required certification. Another use here might be to require a person requesting a Sandbox account to have completed training and awareness around the Well-Architected Framework. Once you take it to this level, then you supercharge your ability to drive both governance and also the clarity around expectations for the users.
Having this approach, you’re empowering your user base to gain the access they require for their project but also training them to treat the access with respect and understand their responsibilities.
Head in the clouds 