Resource Hierarchy
Define a cloud resource hierarchy structure that facilitates tenant isolation and policy enforcement. Maintain the integrity of this hierarchy to ensure capabilities built atop of it remain effective.
Cloud Tenant Database
A central database provides information about cloud tenants using a unified schema. The database records essential metadata like the responsible owner of the tenant and a cost center for chargeback.
Tenant Provisioning
On-demand provisioning of primitive cloud tenants (e.g. AWS Accounts, Azure Subscriptions etc.).
Self-Service Multi-Cloud Tenant Database
Application teams can register, update and remove tenant metadata in a central multi-cloud tenant database in self service.
Link Cloud Tenants to CMDB/EAM
Maintain a link between cloud tenants and a central CMDB/EAM repository (e.g. IT System identifier, Application Id). Linking cloud tenants to CMDB/EAM systems is a foundational capability that enables use cases like basic chargeback, systematic risk ...
Playground / Sandbox Environments
Application teams can quickly provision cloud environments for experimentation and learning. Playgrounds use relaxed policies (e.g. more cloud services are allowed) but come with time- or spend-limits that are tightly controlled. Expired playgrounds ...
Container Platform Landing Zone
A dedicated landing zone offering a developer-centric experience for building and running container-based applications on the cloud on top of a container platform.
Lift & Shift Landing Zone
A dedicated landing zone optimized for lift & shift workloads enables quick onboarding and efficient operations.
Cloud-native Landing Zone
A dedicated landing zone optimized for cloud-native workloads enables quick onboarding and efficient operations.
Tenant Deprovisioning / Decommissioning
Establish a process for safely decommissioning and deprovisioning cloud tenants that are no longer needed by application teams.
Multi-cloud tenant database integrated with lifecycle management
A central database of all multi-cloud tenants initiates tenant provisioning and deprovisioning processes. The database acts as an authoritative source of tenants and ensures tenant metadata is always up to date.
Modular Landing Zones
Landing Zones are extendable with with optional services. These services have their own lifecycle and can be reconfigured during the lifespan of a tenant. The modular design allows combining services like LEGO® blocks.
Data Science Landing Zone
A landing zone optimized for data science workloads like AI/ML models and self-service data analysis.
Tenant Inventory Reconciliation
The inventory of cloud tenants is automatically reconciled against the tenants actually present in the cloud platforms. This allows organizations to detect "shadow IT" or "dark matter" in the cloud. A process is in place to adopt these existing tenan...
Identity and Access Management Alignment
The cloud foundation team can make make decisions about governing identities and access permissions across cloud platforms and landing zones. A process is in place to align decisions with responsible IAM stakeholders of the organization.
Privileged Access Management
Implement appropriate security controls for privileged access as defined in the Authorization Concept. These must cover access to administrative cloud platform roles (e.g. Global Admins, Global Readers) and shared services (e.g. on-premise connectivi...
Federated Identity and Authentication
Integration Cloud Platform IAM systems with Enterprise IAM landscape incl. federated authentication.
Identity Lifecycle Management
Identities are consistently governed across throughout the entire lifecycle from provisioning to deprovisioning.
Resource Authorization Management
Establish consistent guidelines and guardrails for managing authorization to cloud resources in Landing Zones. Authorization management should consider key principles like segregation of duties, need-to-know and separation of privileged and unprivile...
Service Account Management
Managed provisioning and inventory of Service Accounts including their permission sets. Enables central enforcement of compliance policies for technical users like re-certification, credential strength and credential rotation.
Shared Responsibility Model Alignment
The cloud foundation team can make decisions about the shared responsibility model clarifying responsibilities between application teams, the cloud foundation and cloud providers. A process is in place to align decisions with relevant stakeholders in...
Centralized audit logs
Audit logs from all cloud tenants (API/resource access) are centrally collected and stored.
Service and Location Restrictions
Basic policies on cloud resources restrict access to incompliant cloud services and cloud regions (geographic locations).
Cloud Tenant Tagging
Cloud tenants are tagged using a consistent tagging strategy to facilitate cloud platform operations.
Resource Configuration Policies
Policies control the configuration of resources to enforce security and compliance standards like preventing public access to object storage buckets.
Incident Management Process
There's a clear owner for every cloud tenant responsible for incident management. Incidents are automatically routed to these owners.
Guided Cloud Onboarding
Application teams are guided through the organizational (e.g. budget) and regulatory (e.g. compliance) cloud onboarding duties.
Cloud Resource Tagging
Cloud resources are tagged using a consistent tagging strategy to facilitate security and compliance processes for cloud workloads.
Resource Configuration Scanning
Scan cloud resource configurations against a catalog of configuration policies for potential security risks and compliance violations.
SOC Integration
Virtual machines are integrated into a central Security Operations Center (SOC) solution like tenable.io or Qualys. The cloud inventory of existing machines is reconciled against the SOC to ensure completeness.
Centralized workload and infrastructure logs
Audit logs from cloud workloads and infrastructure (e.g. network flow logs) are centrally collected and stored.
Multi-Cloud Tagging Policy
Define and enforce a consistent tagging of cloud tenants and resource across multiple cloud platforms.
Control Access to Landing Zones
Implement automated policies to steer application teams to appropriate cloud platforms and landing zones based on metadata about the application team.
Cloud SIEM
Audit logs for cloud tenants and cloud workloads are systematically analyzed for anomalies.
Certified ISMS Compliance
Landing zones and its operation by the cloud foundation team are certified according to an information security management system like ISO 27001 or C5.
Private Cloud pay-per-use chargeback
Resource consumption on multi-tenant private cloud platforms such as OpenStack, Cloud Foundry or OpenShift is billed according to a pay-per-use pricing model.
Monthly cloud tenant billing report
Application teams can view a monthly cloud tenant billing report listing all incurred charges for cloud resource consumption.
Chargeback via consumption cost allocation
Application teams are transparently charged for the resource consumption as it is charged from the cloud provider.
Monthly Cloud Project Billing Report
Application teams can view a monthly billing report listing all incurred charges aggregated across all cloud platforms and cloud services making up their application.
Pay-per-Use for internal Services
Enable usage based chargeback for internal, managed IT services offered via the cloud foundation. Application teams can book services from a single marketplace and get a single "invoice" for chargeback.
Quota Management
Quotas are a simple mechanism for protecting cloud foundations and application teams against unforeseen spikes in usage/spend.
Global Cost Optimization via Reservations
Cloud providers offer different programs offering lower pay-per-use rates in exchange for making spend or resource reservation commitments (e.g. reserved instances). Centrally plan resource demand to take advantage of cost optimization opportunities ...
Chargeback at full cost allocation
Application teams are transparently charged for resource consumption in their cloud tenant as well as for any shared overhead cost incurred by the cloud foundation team for providing its services.
Billing Alerts
Setup expected monthly or daily spend alerts on cloud tenants to detect accidental cost overruns early.
Budget Approval Process
Budgets are approved by controllers / people with budget responsibility
Billing to different legal entities
Support billing cloud workloads to different legal entities of an enterprise for compliance or organizational reasons.
Monthly Cloud Project Carbon Footprint Report
Application teams can view a monthly report listing the consumption-based carbon footprint caused by their cloud usage. This enables sustainability reporting and gives teams feedback towards achieving sustainability goals.
Consumption based pay-per-use for internal Services
Enable fine-grained pay-per-use options for managed services offered on the cloud foundation, e.g. pay per API request, per GB/h stored etc.
Individual Project Cost Optimization via Reservations
Enable application teams to take advantage of cloud provider cost optimization opportunities available on individual cloud tenants like instance reservations. The chargeback process considers any resulting pre-payments and benefits out of these reser...
Individual Service Provisioning
Cloud foundation teams can offer individual services and customizations through a standardized process.
Foundation Service Platform
Offer cloud infrastructure services managed by the cloud foundation team from a self-service platform.
Managed DNS Services
Application teams can manage DNS Zones and Records for their cloud workloads in self-service.
Shared container registry
A central repository provides hardened container images.
Virtual Network Service
A virtual network service provides a pre-configured virtual network. It is a pre-requisite for higher-level services built on virtual networks.
Shared VM Image Repository
A central repository provides hardened virtual machine images.
Internal Service Marketplace
Teams offer services to other teams and make them accessible on a marketplace that is integrated with 💵 Cost Management and 🔐 IAM .
Virtual Machine Service
Provides VMs as a service for lift & shift and cloud newcomers.
Managed SSL Certificates
Application teams can request and renew SSL certificates for their cloud workloads in self-service.
3rd party PaaS Service Integration
Application teams can leverage third-party PaaS providers for managed services like DBaaS, observability platforms or analytics. Teams can manage service-lifecycle and IAM in self-service and are transparently charged for all consumption cost incurre...
Managed Key Vault
Managed key management services that allow application teams to securely store and retrieve credentials in the cloud. The key management service configuration is aligned with the organization's policies for cryptography and secret management.
On-Premise Network Connection
Provides managed IP (L3) connectivity to on-premises networks. This is commonly implemented using hub&spoke network architectures and a combination of VPNs or private network peerings.
Managed bastion hosts
Application teams can use a managed service to access resources on private cloud networks using managed bastion hosts or gateway services. These gateways are hardened and centrally audited.
Managed DevOps Toolchain
Application teams can use DevOps tools that are integrated with the cloud tenants used by the team. Any required service account or automation user credentials are automatically maintained and rotated.
Crowdfunding Campaigns
Crowdfunding campaigns enable your application teams to fund the development of services they would like to see in the internal marketplace.
Managed Cloud Provider Support Contracts
Application teams can enroll their tenants in support contracts and/or enterprise support agreements from cloud providers. Teams can access support in self-service and are transparently charged for support fees incurred.
Kubernetes Cluster as a Service
Provides Kubernetes Clusters as a Service. These are deployed as workloads into the customer's cloud tenants.
Managed Data Lake access
Application teams can get managed access to central data warehouses and data lakes to combine this data with processing and infrastructure in their own cloud tenants.
In-house PaaS Service Integration
In-house teams provide PaaS services for commonly needed infrastructure services like DBaaS, observability platforms or analytics. Teams can manage service-lifecycle and IAM in self-service and are transparently charged for all consumption cost incur...
API Gateway to on-premises APIs
Provide managed API (L7) connectivity to APIs running in on-premise environments.
Managed Internet Egress
Application teams can connect cloud tenants to internet egress using managed infrastructure that ensures compliance and cost efficiency (network separation, proxies etc.).
Tenant to Tenant Transit Networks
Provides managed connectivity between cloud tenants on the same cloud platform via centrally managed transit networks.
Cloud to Cloud interconnects
Provides managed connectivity between cloud tenants on different cloud platforms via centrally managed transit networks.
Support Process
The ability to communicate efficiently with the Cloud Foundation to ensure a smooth operational model for both support- and news-related pieces.
Internal Wiki
A centralized knowledge hub which serves as an integral cornerstone of the digital Cloud Foundation brain.
Consultation Services
The ability to provide Consultation services to customers in order to help them deploy projects in an efficient and economical way while adhering to best practices.
Community Hub
Create a central place for the community to interact and be involved in the Cloud Foundation beyond mere support requests.
Quickstart Guide
The capacity to present the Cloud Foundation in a digestible format, so potential clients and customers can easily learn about the offering.
Free Credits and Sandboxes
Facilitate and encourage learning cloud skills through exploration and experimentation, offer Free Credits and Sandboxes to application teams.
Cloud Partnerships
The capability to foster a beneficial engagement with the existing Cloud Service Providers to benefit and enrich ongoing initiatives to further knowledge and success within the community.
Community Advocacy
Successful generation of a distinguished Community Identity and engagement of Community Advocates that are subject matter experts and trusted resources within the community space to further assist with active participation and involvement in building...
Training & Certifications
Enablement of on-demand learning resources and platforms for customers and users of the Cloud Foundation to further self-service and continuous learning principles, while also providing avenues to Certifications and other beneficial pathways.
External Visibility
Gaining external traction by expanding the visibility and knowledge of the Cloud Foundation and it’s community to the public sector, as well as increasing the ability to absorb and be exposed to new wisdom.
Gamification
Gamification of the existing Community to further incentivize participation, internal support, as well as motivate long-term participation in the space.
Live Events & Labs
Conduction of Live Events & Labs to offer unique opportunities to take particular services and practices under a focused lens and learn more around it in an interactive fashion.
Cloud Culture Leader
Ascended the Cloud Foundation to become a leader in the space around Cloud Culture & Community, and successfully lead and collaborate with others to pioneer further in the ever-growing landscape of community enablement.
Cloud Foundation CommunityCloud Foundation Community
