Last updated on February 5th, 2024 at 10:30am
Ensure you have a strong cloud operations foundation before you undergo a major change with your integrator, reseller partner, or MSP.
Many organizations rely on a third-party partner to help them manage their cloud environment. Systems integrators (SIs), value-added resellers, solution providers, and managed service providers (MSPs) offer expertise to help build, manage, and optimize cloud environments. As cloud maturity increases and business needs change, it’s likely that these organizations will make a change in their third-party partner at some point.
With a strong cloud operations foundation, you can avoid interruptions during such a management transition. Especially in the public sector, where integrator change is often a regular occurrence, the timeline for offboarding and onboarding can stretch to months. How will you operate – or not – during this transition? For all the talk about how teams are courageously ‘changing the wheels on the car while it’s moving’, this shouldn’t be the objective.
We’ve seen both easy and difficult transitions as we support customers. In this article, we’ll share some of the foundational concepts that will facilitate easy onboarding and offboarding of your third-party service provider partners, and highlight features of Kion that help you weather a transition while allowing business operations to continue as planned.
Building a Cloud Operations Foundation
To prepare for a change in the third-party managing your cloud, it's essential to establish a strong cloud operations foundation. With some proactive planning and a strong foundation, you won’t encounter delays in getting team members access to get their work done.
What is a strong cloud operations foundation? For most organizations, this is a combination of their governance model, internal processes, and cloud management automation. Bundled together, organizations have a consistent way to govern and manage their cloud environment. Ideally, this environment will span multiple accounts (a recommended best practice to limit the blast radius of a single account) and may include multiple clouds (to allow your team to use the best cloud solution for the task).
To help prepare for change in the management of your cloud environment, here are a few foundational best practices to adopt:
- Use a multi-account structure. The best practice today is to use a multi-account approach in your cloud estate instead of a single monolith account. Whether you only use cloud provider tools (such as AWS Organizations, Azure Management Groups, or Google Cloud Projects), or a solution such as Kion, build your foundation on a multi-account structure for consolidated billing, deeper insights into spend, and simplified account management.
- Keep access to your accounts at all times. Ensure your accounts are provisioned under an email address that your organization owns (i.e., your root account shouldn’t be @reseller.com on your AWS accounts but, rather, should be @mycompany.com). Since you can’t change email addresses on AWS accounts, you want to ensure that the root emails are part of an email domain owned by your company.
- Pick a reseller that allows you to access and administer your own management account. As AWS continues to release more features at the Organizations level, not having access or permissions to view information rollups, manage your own AWS organization, or take advantage of these features will add complexity and challenges to your cloud management over time.
- Establish and maintain access to CSP billing data. Ensure you have visibility to your cloud provider’s billing data (such as access to AWS Cost Explorer). While you may elect to transfer billing ownership, your ability to see costs – and identify opportunities to optimize spend – is critical. No one outside of your team has the same degree of motivation to monitor and optimize spend.
Bottom line, having a consistent way to manage and govern your cloud – that persists through partner changes – helps you maintain the return on investment (ROI) of your cloud operations without disruptions.
How Kion Can Help During a Partner Transition
Here are three Kion features that are particularly helpful as you transition between SIs, MSPs, or resellers:
- As accounts will leave and join a new organization, using Kion for service control policy (SCP) management ensures that the SCPs are never lifted from the accounts. Kion applies the existing SCPs into the new Organization as soon as the change in Management Account is made in Kion.
Result: No gaps in guardrails and policies during transition. - Kion has a placeholder value in policies for {{CT::AWSOrganizationId}} so, as the Org ID changes, Kion can easily ensure the policies attached to roles have the correct Organization in place.
Result: No broken policies as accounts move from one org to another. - Kion’s compliance engine can easily find and remove unused IAM roles or trust policies referencing the old Management Account that, if not removed, would allow the previous reseller to gain access to the accounts. Kion can also update trust policies to automatically trust the new reseller, if desired.
Result: No inadvertent access to environment by prior partner.
By laying a solid foundation for cloud operations, you can navigate transitions smoothly and ensure the continuity of your cloud environment. Kion can help you during these transitions by providing a consistent foundation for identity, financial management, and compliance in the cloud. No matter who is operating your cloud, Kion delivers a single solution for cloud governance and management.
