Tenant Mgmt.Manage provisioning, configuration and lifecycle of cloud environments (e.g. AWS Accounts).Learn More
Multi-Cloud Tenant Database
A central database provides information about tenants in different clouds using a unified information schema. Tenants can be registered in this database via an API or are stored there by combining different tenant lists/exports into a common database...
Definition of a cloud resource hierarchy that facilitates tenant isolation and policy enforcement. Cloud tenants are deliberately placed in this resource hierarchy when tenants are provisioned.
Cloud Tenant Database
Maintenance of a database of cloud tenants and associated metadata like responsible owners and chargeback information like cost center.
On-demand provisioning of primitive cloud tenants (e.g. AWS Accounts, Azure Subscriptions etc.).
Tenant Deprovisioning / Decommissioning
Process for decommissioning and deprovisioning cloud tenants that are no longer needed.
Playground / Sandbox Environments
DevOps Teams can quickly provision cloud environments for experimentation and learning, thereby accelerating an organization's cloud journey. Playgrounds use relaxed policies (e.g. more cloud services are allowed) but come with time- or spend-limits ...
Monolithic Landing Zone
Landing Zones includes a common set of core resources like virtual networks. These resources are managed with the same life-cycle as the underlying cloud tenant.
Self-Service Multi-Cloud Tenant Database
Owners of cloud tenants can register, update and remove tenant metadata in a central multi-cloud tenant database in self service.
Link Cloud Tenants to CMDB/EAM
Maintain a link between cloud tenants and a central CMDB/EAM repository (e.g. IT System identifier, Application Id). Linking cloud tenants to CMDB/EAM systems is a foundational capability that enables use cases like basic chargeback, systematic risk ...
Multi-cloud tenant database integrated with lifecycle management
A central database of all multi-cloud tenants initiates tenant provisioning and deprovisioning processes. The database acts as an authoritative source of tenants and ensures tenant metadata is always up to date.
Modular Landing Zones
Landing Zones are extendable with with services. These services have their own lifecycle and can be reconfigured during the lifespan of a tenant. The modular design allows combining services like LEGO® blocks.
IAMProvide Identity and Access management capabilities for all available cloud platforms and services.Learn More
Identity and Access Management Concept
Multi-Cloud IAM architecture concept based on federated identities and authentication.
Federated Identity and Authentication
Integration Cloud Platform IAM systems with Enterprise IAM landscape incl. federated authentication.
Define a multi-cloud authorization concept that platforms can implement independently and according to the cloud platform's native authorization capabilities. The authorization concept should consider key principles like segregation of duties, need-t...
Privileged Access Management
Implement appropriate security controls for privileged access as defined in the Authorization Concept. These must cover access to administrative cloud platform roles (e.g. Global Admins, Global Readers) and shared services (e.g. on-premise connectivi...
Identity Lifecycle Management
Identities are consistently governed across throughout the entire lifecycle from provisioning to deprovisioning.
ComplianceProvide capabilities for governing workloads and enforcing security guidelines across all available cloud platforms and services.Learn More
Shared Responsibility Model
A shared responsibility model describes the services provided by the cloud foundation and how it interacts with the cloud provider's shared responsibility model.
Resource Policies - Blacklisting
Basic policies on cloud resources enforce Blacklisting of forbidden services, regions.
Centralized audit logs
Audit logs from all cloud tenants (API/resource access) are centrally collected and stored.
Cloud Tenant Tagging
Cloud tenants are tagged using a consistent tagging strategy to facilitate cloud platform operations.
Automated Security Scanning
Cloud workloads are automatically scanned for security/compliance violations (e.g. Azure Security Center, Forseti, AWS Guard Duty). This is about cloud resource configuration (e.g. VPC ACLs), not about workload configuration (e.g. software firewall)
Cloud Resource Tagging
Cloud resources are tagged using a consistent tagging strategy to facilitate security and compliance processes for cloud workloads.
Virtual machines are integrated into a central Security Operations Center (SOC) solution like tenable.io or Qualys. The cloud inventory of existing machines is reconciled against the SOC to ensure completeness.
Incident Management Process
There's a clear owner for every cloud tenant responsible for incident management. Incidents are automatically routed to these owners.
Centralized workload and infrastructure logs
Audit logs from cloud workloads and infrastructure (e.g. network flow logs) are centrally collected and stored.
Guided Cloud Onboarding
Teams are guided through the organizational (e.g. budget) and regulatory (e.g. compliance) cloud onboarding duties.
Multi-Cloud Tagging Policy
Define and enforce a consistent tagging of cloud tenants and resource across multiple cloud platforms.
Control access to cloud platforms and Landing Zones
Implement automated policies to steer cloud consumers to appropriate cloud platforms and landing zones based on metadata about the cloud consumer.
Cost Mgmt.Provide cost management and chargeback capabilities for all available cloud platforms and services.Learn More
Private Cloud pay-per-use chargeback
Resource consumption on multi-tenant private cloud platforms such as OpenStack, Cloud Foundry or OpenShift is billed according to a pay-per-use pricing model.
Monthly cloud tenant billing report
Tenant owners can view a monthly cloud tenant billing report listing all incurred charges for cloud resource consumption.
Chargeback via consumption cost allocation
Cloud tenant owners are transparently charged for the resource consumption as it is charged from the cloud provider.
Monthly Cloud Project Billing Report
Project owners can view a monthly billing report listing all incurred charges aggregated across all cloud platforms and services used in a project.
Global Cost Optimization via Reservations
Cloud providers offer different programs offering lower pay-per-use rates in exchange for making spend or resource reservation commitments (e.g. reserved instances). Centrally plan resource demand to take advantage of cost optimization opportunities ...
Pay-per-Use for internal Services
Enable usage based chargeback for internal, managed IT services offered via the cloud foundation (see Landing Zone building Blocks). Consumers can book services from a single marketplace and get a single "invoice" for chargeback.
Chargeback at full cost allocation
Cloud tenant owners are transparently charged for resource consumption in their cloud tenant as well as for any shared overhead cost incurred by the cloud foundation team for providing its services.
Billing to different legal entities
Support billing cloud workloads to different legal entities of an enterprise. This may manifest e.g. as different billing accounts (GCP), enterprise agreement (Azure) or Payer Accounts (AWS).
Individual Project Cost Optimization via Reservations
Enable cloud customers within your organisation to take advantage of cloud provider cost optimisation opportunities available on individual cloud tenants like instance reservations. The chargeback process considers any resulting pre-payments and bene...
Monthly Cloud Project Carbon Footprint Report
Project owners can view a monthly report listing the consumption-based carbon footprint caused by their project’s cloud usage. This enables sustainability reporting and gives teams feedback towards achieving sustainability goals.
Service EcosystemProvide managed services that help teams build and operate application on the cloud faster and more efficiently (e.g. on-prem connectivity).Learn More
Internal Service Marketplace
Teams offer services to other teams and make them accessible on a marketplace that is integrated with 💵 Cost Management and 🔐 IAM .
Virtual Network Service
A virtual network service provides a pre-configured virtual network. It is a pre-requisite for higher-level services built on virtual networks.
3rd party PaaS Service Integration
Teams can leverage third-party PaaS providers for managed services like DBaaS, observability platforms or analytics. Teams can manage service-lifecycle and IAM in self-service and are transparently charged for all consumption cost incurred.
Managed Key Vault
Managed key management services that allow applications to securely store and retrieve credentials in the cloud. The key management service configuration is aligned with the organization's policies for cryptography and secret management.
On-Premise Network Connection
Provides managed IP (L3) connectivity to on-premises networks. This is commonly implemented using hub&spoke network architectures and a combination of VPNs or private network peerings.
Managed bastion hosts
Teams can use a managed service to access resources on private cloud networks using managed bastion hosts or gateway services. These gateways are hardened and centrally audited.
Managed DevOps Toolchain
Teams can use a DevOps tools that are integrated with the cloud tenants used by the team. Any required service account or automation user credentials are automatically maintained and rotated.
Kubernetes Cluster as a Service
Provides Kubernetes Clusters as a Service. These are deployed as workloads into the customer's cloud tenants.
Managed Data Lake access
Teams can get managed access to central data warehouses and data lakes to combine this data with processing and infrastructure in their own cloud tenants. Common usage scenarios are "analyst workbenches" for cloud-native DL/DW tools like BigQuery tha...
In-house PaaS Service Integration
In-house teams provide PaaS services for commonly needed infrastructure services like DBaaS, observability platforms or analytics. Teams can manage service-lifecycle and IAM in self-service and are transparently charged for all consumption cost incur...
API Gateway to on-premises APIs
Provide managed API (L7) connectivity to APIs running in on-premise environments.
Managed Cloud Provider Support Contracts
Cloud tenant owners can enroll their tenants in support contracts and/or enterprise support agreements from cloud providers. Owners can access support in self-service and are transparently charged for support fees incurred.
Managed Internet Egress
Cloud tenants can connect to internet egress using managed infrastructure that ensures compliance and cost efficiency (network separation, proxies etc.).
Tenant to Tenant Transit Networks
Provides managed connectivity between cloud tenants on the same cloud platform via centrally managed transit networks.