Authors: cyrush@google.com, rayc@google.com 10 May 2017
Shortlink: https://goo.gl/yQCxE8
As a platform, service, or software provider, we:
Empower the world’s administrators to manage their organizations’ cloud resources at scale.
Therefore, we hold the following truths to be self-evident.
Administrators have the right to:
-
Centrally administer their organizations’ cloud resources.
-
Audit all accesses and understand all policy grants for their organizations’ cloud resources
-
Delete their organizations’ cloud resources.
-
Compartmentalize their organizations’ cloud resources.
-
Delegate administration of a compartment of an organization’s cloud resources to another administrator.
-
Act autonomously within the organization or a compartment within an organization that they administer.
-
Constrain the behavior of users and resources within their organization.
-
Make exceptions to rules governing an organization’s cloud resources.
-
Evolve their organization structure through growth, mergers and divestitures.
-
Exercise the above rights in hybrid and mutli-cloud deployments without compromising their ability to manage their organizations’ cloud resources.
-
Accountability of administrators actions. - TBD(ckemper,rayc): fill out.
Above all, administrators must have the ability to view and manage their resources in a central location. This becomes the choke point for organization-wide policies and auditing of an organization's use of cloud.
Key technologies: ...
Administrators need to be able to audit their system to ensure that their organization's resources are in compliance with the security policies they have put in place. Specifically, administrators need to know who accessed what, who has access to what, what policies apply to resources, and what policies apply to users. They need to be able to understand how their policies and know what effects a change might have.
Key technologies: …
Administrators should be able to delete all of the resources within their organization with a single operation, if so desired. Resources can be marked as sensitive to warn against deletion, but this should not prevent an administrator from deleting a resource.
As the number of resources under their administration increases, administrators need the ability to compartmentalize resources for the purpose of providing common administration for a group of resources.
A compartment is a collection of resources within an organization or another compartment that have common policies and lifecycle. In Google Cloud Platform, there are three different compartments -- Projects, Folders and Organizations -- which form a hierarchy. This is a key feature to enable administrators to cope with the scale of cloud.
Key technologies: ...
As the number and complexity of compartments increases, administrators need the ability to delegate the administration of one or more compartments to another administrator. They also need the ability to delegate a subset of administrative functions to another administrator. This is another key feature for coping with the scale of cloud.
Key technologies: …
In the spirit of compartmentalization and delegated administration, each administrator needs the ability to act autonomously within their compartment without engaging administrators at higher levels of the organization. This implies making features available for both organizations and compartments.
Key technologies: ...
To prevent misuse, administrators need to be able to control access to cloud resources and constrain how those resources can be configured. For organizations with managed identity, this includes the ability to constrain how those identities can be used.
Key technologies: …
Organizations are diverse and, therefore, have diverse requirements. In order to meet the needs of as many customers as possible, cloud features should be built to be flexible and offered with constraints that can be used to limit that flexibility if administrators so desire.
Key technologies: ...
Organizations are not static. They grow and shrink, both organically and inorganically. They morph and shift as the organization evolves. As such, resources must be designed to move and change along with our customers.
Key technologies: ...
Organizations have the right to choose the cloud provider(s) with which to work and should be free to leverage private clouds as well. Regardless of the choice, the rights stated herein should extend across all those clouds, leveraging open standards and APIs to maintain a consistent experience.
Key technologies: ...