Addressing FinOps and Security Issues with Automated Cloud Operations

Sponsored by Hitachi Vantara

The complexity of hybrid and multi-cloud environments makes it hard for enterprises to get insights into their cloud spending and security risks. Tools from the providers only go so far, and most only provide data for that provider’s services.

RTInsights recently sat down with Taqi Hasan, Director, Global Services Marketing, Cloud and App Modernization, at Hitachi Vantara to discuss the cost management and security challenges enterprises face today and how FinOps, automation, and Hitachi Vantara services can help bring both cloud spending and security under control.

Here is a summary of our conversation.

RTInsights: Why are cloud costs so hard to quantify and understand in businesses today?

Hitachi Vantara: There are multiple reasons. One is complexity vis-à-vis each of the offerings from the cloud service providers such as Amazon AWS, Microsoft Azure, Google GCP, etc. They all can be complex and dynamic with constantly changing resource usage patterns and pricing models. They frequently keep changing pricing models to compete better with each other. And all cloud offerings have different service options, as well. These factors make it difficult to accurately forecast cloud costs and understand how they’re being incurred.

A second factor is the lack of visibility. Everyone sees the benefit of cloud, and they are rushing to it. Then, they keep adding new services. As such, many businesses struggle to gain complete visibility into their usage and spending because there are different departments in the company getting access to cloud, and they all have different use cases.

They don’t have centralized monitoring tools, and they have difficulty tracking usage across multiple cloud platforms. For example, some of our customers, especially in the financial industry, want to hedge their bets by having their applications and workloads on different clouds. If one cloud goes down, the other one is there. Visibility is often lacking in that scenario.

Another factor is shadow IT. Gartner coined this term when individual departments in an organization are using cloud services without IT knowledge approval. It is a challenge to track and manage these cloud services and expenses. For example, multiple departments or groups could be using the same services. Salesforce is a good example. Sales and marketing could be using it for different purposes. That creates unpredictable demand. Cloud elasticity would allow both groups to quickly scale up or down as demand changes. That makes it a challenge to accurately forecast the cost and predict how much resources are needed at any given time.

Lastly, there are multiple pricing models. Each provider offers a variety of pricing models. These are pay-as-you-go, monthly, one-year subscriptions, three-year subscriptions,  reserved instances, etc. Many businesses don’t understand these pricing models. Selecting the most cost-effective option can be challenging, especially for large enterprises.

RTInsights: How are businesses using FinOps to optimize their cloud costs?

Hitachi Vantara: FinOps is a set of practices and tools that businesses use to optimize their cloud cost. Many companies are using FinOps as part of a cloud cost management framework. This new framework provides a centralized view of the cloud cost and helps make informed decisions about cloud spending.

Hitachi Vantara comes in by helping businesses implement cloud visibility and control. Our tools provide real-time insights into cloud usage that can be used to control spending and cloud cost take out.

Obviously, the cloud providers don’t provide these kinds of tools. They want you to spend more. Our tools allow businesses to find their cost inefficiencies in the cloud instances and then take action to optimize the spending.

We apply automation and use data analytics to identify opportunities for cost optimization. That makes it easier to analyze usage patterns and identify areas where a business can scale down resources or switch to more cost-effective pricing models.

One other aspect of FinOps use is collaboration between teams. Many businesses are using FinOps to promote collaboration in different teams inside the company. It might include finance, IT, product development, product marketing, sales, and more. All these teams can then identify the different aspects of their cloud usage and how they can cut down the costs.

Overall FinOps provides a structured approach to control and lower the cost of cloud services for the enterprise.

RTInsights: How does FinOps specifically help with cost takeout?

Hitachi Vantara: Beyond using FinOps to understand cloud costs, it can also help with cost takeout. By implementing FinOps, businesses get a better understanding of the usage and identifying areas where they can optimize cloud. For example, a business might be using a lot of reserved and spot instances while having underutilized resources.

They get into that situation by adding and expanding cloud services but never decommissioning the services when they stop using them. So, they’re still paying the monthly subscription fee, for example, through AWS. FinOps can help find those underutilized or unused resources, allowing the business to optimize the workloads to curb cost.

Another way FinOps helps is by enabling data-driven decision-making. We do an assessment, then give businesses the tools to provide real-time data and analytics. They can then look at their cloud investments and have access to cost information. That lets them then make smarter decisions about their cloud usage so they can optimize the cost and reduce waste.

Once you discover where you are wasting money and where you’re not using the resources, then you come up with cost governance policies. If you find out there are holes in your cloud strategy, you can create a cost governance framework so that all your cloud spending is now aligned with the company’s overall goals and budget and spending limits. FinOps and our tools can be used to closely monitor usage, enforce policies for resource allocation, and more.

If some department comes up and says, “We need new instances, we need new regions.” You go through these governance policies to approve or deny those requests. That gets back to the collaboration aspect of FinOps. You can use those opportunities to cut costs.

So, with FinOps, you’re basically continuously monitoring and optimizing cloud costs inside the company. Ideally, this information would be used to get the best value from cloud investments and reduce costs over time.

RTInsights: Can we talk about some of the security aspects that Hitachi Vantara and the HARCs address?

Hitachi Vantara: Security has become a top challenge for customers. Cloud security is particularly challenging, especially when people fail to understand that cloud security is a shared responsibility. Some think that once you move everything to the cloud, the cloud provider takes care of it. It’s not true. They only take care of the infrastructure part of it. The customer has to own everything else.

The number one cloud security issue customers face today is security misconfiguration. Because clouds are so agile and elastic, this increases the likelihood of a security misconfiguration. Minor misconfigurations can lead to massive hacks and the leaking of information from data breaches, costing businesses lots of money.

Another issue is the increased cloud attack surface. When everything was on-premises, you had firewalls protecting the enterprise and the data center. But the cloud is public! That means anyone has access to it.

Also, more organizations are adopting a remote/hybrid work model, which started during the pandemic. They are using more SaaS applications (e.g., Salesforce, Microsoft Office 65, or Google Apps) to support this model. The attack surface on these apps is increasing.

The cloud transformation that we’ve seen in the last five years has been huge. It’s been the speed of cloud for some of the transformations. With so much transformation happening in the cloud, new services are being built. Amazon adds multiple services every month to AWS, and customers use the services to increase productivity. They’re built fast. The rate is much faster than what used to happen on-premises when customers used to build their own applications or other services. This increases security vulnerabilities at a fast rate.

Additionally, compliance in the cloud is much more complicated compared to managing compliance for isolated on-premises data centers. In regulated industries like healthcare, financial services, and others, compliance requirements are changing every day, and enterprises have to keep up with them.

RTInsights: Are the skill sets keeping pace?

Hitachi Vantara: No. The collapse of skillsets is contributing to the cloud security challenges business face today.

Cloud-native skillset requires strong infrastructure, security, networking, and application development experience. The DevSecOps approach that we offer in our framework takes a holistic engineer-led approach to optimize all these processes and technologies.

It’s a build-and-operate approach. It basically enables us to build security into the cloud environment as part of the design. We continuously monitor for security and compliance issues. It’s integrated into the software development lifecycle, the SDLC, not as an afterthought but from the design, build, and release stages all the way to production.

So, rather than treat security as an afterthought, we make it an integral part of the cloud environment design process. That mitigates many security issues from the start.

We also do the visibility and security management through our cloud security platform. We have a multi-level defense approach. We call this our 5C approach because we are ensuring the security of the enterprise across cloud, clusters, containers, consumer data, and the code.

RTInsights: Any final thoughts?

Hitachi Vantara: Unlike the traditional data center that only had to protect the perimeter with firewalls, the cloud is layered, and it has a big attack surface. It has no perimeter. Our DevSecOps approach helps protect that environment.

What’s needed to mitigate cloud security challenges is to have good visibility into your environment so that you can identify security gaps and misconfiguration. Then you can manage them through our five C’s approach and do regulatory compliance management, as well. We provide tools for that.

Then finally, there is the automation aspect to all of this. We have the Hitachi cloud acceleration operations platform, which allows you to do this automation and allows customers to automate this integrated approach as a scale-up in our DevSecOps teams.

In that way, DevSecOps teams use their engineering expertise to create these automation bots that constantly are looking for and remediating many of the issues when they come up. Those are the best practices we use to address today’s cloud security threats.