Community Blog From "Roughcast House" to "Fine-Decoration House" – Enterprise IT Governance Solutions for On-Cloud Management and Governance

From "Roughcast House" to "Fine-Decoration House" – Enterprise IT Governance Solutions for On-Cloud Management and Governance

This article discusses how the Alibaba Cloud Open Platform Team can help enterprises innovate, manage, and make good use of the cloud using Cloud-Native capabilities.

Catch the replay of the Apsara Conference 2020 at this link!

By Alibaba Cloud Open Platform

The Challenges of Enterprises' Migration to the Cloud

With the rapid development of cloud technology in recent years, the concept of Cloud-Native is generally understood and accepted. More enterprises are choosing to migrate to the cloud to implement digital transformation. From moving traditional applications to the cloud or developing new products and businesses based on Cloud-Native technology, enterprises hope to utilize cloud technology for flexible innovation of their business at a low cost and to maximize the value of cloud migration.

However, with the increasing adoption of cloud technology, business and resource types and scales are increasing. Enterprises are also encountering new problems:

  • How can we ensure identity security on the cloud?
  • How can we isolate resources and permissions for multiple projects?
  • How can we ensure network isolation and security among different business?
  • How can we allocate spending on the cloud to different business teams?

These problems can affect the stability and development speed of business, cause security risks, and endanger the foundation of enterprises' survival. Therefore, before migrating to the cloud, enterprises need to plan and create a secure, controllable, and compliant "Landing Zone" for each business to be migrated to the cloud, except for adapting business applications to the cloud environment. By doing so, business developers are allowed to focus on their own business for quick iteration and innovation of the business based on cloud capabilities in the Landing Zone. Developers can take efficiency and controllability into account to achieve the maximum value of cloud migration.

The key procedure of this part of the work lies in the improvement of enterprises' IT governance infrastructure.

Overview of Enterprise IT Governance

Enterprise IT Governance is a series of strategies, principles, and implementation processes that guide enterprise IT planning and operation, which allows IT personnel to control business risks at the IT level. In addition, Enterprise IT Governance can also ensure efficient and stable operation of enterprise business. A complete set of on-cloud Enterprise IT Governance infrastructure includes the following features:

  • Unified Framework: Enterprises need to plan a unified IT governance architecture and apply relevant standards to specific business for the management and governance of each business.
  • Up-to-Date Compliance: In the early stage of cloud migration, enterprise IT governance requirements should be met. In later stages, up-to-date compliance should also be provided automatically to ensure continuous business iteration and the rapid growth of new businesses.
  • Separate Management: When the IT governance architecture is established, business teams can conduct O&M by themselves to reduce the pressure on the IT O&M team, except for maintaining the IT infrastructure.

To maximize the value of cloud migration, enterprises don't need to spend a lot of effort into learning on-cloud capabilities. More importantly, they need to conduct unified planning and implementation in the early stage. Instead of creating a poor "roughcast house," this way, a secure and controllable Landing Zone can be created for business on the cloud. In recent years, many enterprise customers of Alibaba Cloud have also been troubled by these problems and they turned to Alibaba Cloud for the best practices. For helping these enterprises quickly access Alibaba Cloud, the Alibaba Cloud Open Platform Team summarized the best practices based on several enterprises IT governance capabilities and pain points in enterprises' cloud migration. The team released the Enterprise IT Governance solution and three sets of specific implementation plans for enterprises in different sizes, as well as automated tools for quick implementation. Now, let's take medium- and large-sized enterprises and multinationals as examples to learn the design concept of the Enterprise IT Governance solution.

The Design Concept of the Enterprise IT Governance Solution

This solution serves as a model for enterprise users to construct a complex cross-account enterprise IT governance system on Alibaba Cloud. The framework includes the following aspects:


  • Enterprises' On-Cloud Resource Structure: The first step for enterprises' cloud migration is to construct the infrastructure of on-cloud resources through multiple accounts. Based on the infrastructure, enterprises can carry out effective permission control, compliance audits, network planning, and financial trusteeship. By using various methods provided by Alibaba Cloud to organize resources, enterprises can easily and effectively build on-cloud resource architecture and copy it for organizing and dividing various business lines. By doing this, resources can form a clear "tree" and enterprises can lay the foundation for subsequent governance of other aspects.
  • Identity Integration: Enterprises usually have their own identity management system and it is essential for enterprises to log on to Alibaba Cloud through their own management system. The Role-Based Single Sign On (SSO) of Alibaba Cloud allows enterprises to map employee identities or user groups to Alibaba Cloud roles with specific permissions to facilitate organizational management. Except for identity management, enterprises also need to assign different permission policies to different roles to minimize permissions. This solution provides a series of best practices for preset roles and permission policies as well as SSO automated tools to help enterprises quickly complete SSO configuration.
  • IT Compliance and Audit: IT compliance and audit is the key to achieve "efficiency" and "controllability" in the enterprise IT governance process. Besides, it has also become one of the core requirements of enterprise IT governance, particularly after classified protection compliance became a mandatory requirement for enterprises' cloud migration.

Compliance and audit can be implemented in three ways:

  • Preventive Management: It refers to forbidding non-compliant operations, such as changing basic configurations of the solution, connecting to public networks, and creating unencrypted disks, thus complying with the corporate compliance principles.
  • Detective Management: For some suggested compliance principles, enterprises can set detective rules instead of preventive management and continuously monitor resources. When non-compliant resources are discovered, the solution can send an alert, and these resources can be recorded and fixed automatically.
  • Long-Term Storage of Audit Log: Logs of on-cloud operations, resource changes, and network traffic can be stored for a long time in case of auditing.
  • Fees and Costs: Cost Analysis is the basic demand for enterprises' cloud migration. It is a prerequisite for enterprises to be assured if they can calculate spending and make the costs more predictable. The larger the size of an enterprise is, the more attention needed to be paid to the budget and spending of each business and department. There are two cost allocation modes, namely Showback and Chargeback, according to the type of enterprise. Besides, there are several common methods, such as account-based cost allocation and tag-based cost allocation, according to the planning of enterprise on-cloud resource structure.
  • Network Planning, Security Protection, and Monitoring: Network architecture is crucial for an enterprise, which is related to business operation, application calls, business expansion, and information security. This part mainly includes enterprise IP address planning, network connection, and access control. The focus is to plan which security domains of the enterprise network can be interconnected, which service can access or be accessed by the Internet, and how to control horizontal and vertical traffic for ensuring information security. Furthermore, enterprises need to set unified monitoring and alerting rules for relevant network resources and business resources to detect and resolve business problems in advance.
  • New Account Baseline: When an enterprise carries out new business through a new account, it is also needed to meet the requirements of enterprise IT governance principles. To do so, enterprises need to implement the design principles mentioned above when using a new account, such as identity integration, initializing network architecture, configuring security protection, and conducting monitoring and warning. At the same time, enterprises should hold the account compliance baseline in combination with preventive management to avoid misoperations that may result in non-compliance and risks to enterprises.

Solution Implementation

With the design concept of the solution, the next step is how to construct and implement the infrastructure according to the characteristics and development stages of enterprises, assisting enterprises to quickly turn the "roughcast house" into a "fine-decoration house". It is impossible for an implementation solution to perfectly match the demands of every enterprise in real practices. Enterprises must customize and combine different solutions based on their own demands and design principles. These three representative solutions mentioned above are the best solutions proposed by Alibaba Cloud for start-ups, medium- and large-sized enterprises, and multinationals. For more information, you can visit the Alibaba Cloud Open Platform website. For start-ups, operation steps and codes that are automatically generated can be obtained on the official website to implement such a solution. As for other enterprises, please contact your Alibaba Cloud sales representative or service manager.

During the implementation process, the ideal state is full automation. Based on the concept of Infrastructure as Code (IaC) and several tools, including Terraform, the Alibaba Cloud Open Platform provides automated deployment scripts and codes and makes them available open on the Aliyun Landing Zone Github to help you quickly deploy a solution or integrate it into the internal automation process system.


With the arrival of the Cloud-Native era, enterprises will face more new challenges on the cloud. The Alibaba Cloud Open Platform Team will continue to optimize products and solutions, accumulate additional best practices, and help enterprises manage and make good use of the cloud, allowing enterprises to innovate more quickly based on Cloud-Native capabilities.

If you encounter any problem or have any suggestions when migrating to the cloud, please feel free to contact us. You are also welcome to follow the latest development of our team and learn the latest best practices for cloud migration.

0 0 0
Share on

Alibaba Clouder

2,600 posts | 750 followers

You may also like


Alibaba Clouder

2,600 posts | 750 followers

Related Products

  • Cloud-Native Applications Management Solution

    Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.

    Learn More
  • Function Compute

    Alibaba Cloud Function Compute is a fully-managed event-driven compute service. It allows you to focus on writing and uploading code without the need to manage infrastructure such as servers.

    Learn More
  • Managed Service for Prometheus

    Multi-source metrics are aggregated to monitor the status of your business and services in real time.

    Learn More
  • Lindorm

    Lindorm is an elastic cloud-native database service that supports multiple data models. It is capable of processing various types of data and is compatible with multiple database engine, such as Apache HBase®, Apache Cassandra®, and OpenTSDB.

    Learn More