When managing cloud infrastructure across multiple cloud platforms like AWS, GCP, and Azure, DevOps teams tend to face a lot of the same challenges, like keeping track of all your resources and maintaining security.

  • Virtual machines or storage may be running on different platforms without a central way to view every resource, some unused resources might be left running, which may lead to higher bills.

  • Or different teams might use different tools like Terraform, CloudFormation, or Ansible to manage their cloud resources, which can lead to a lack of uniformity within the team.

Implementing Cloud Center of Excellence (CCoE) concepts helps resolve these challenges by providing business leaders with a unified approach to managing cloud infrastructure across multiple platforms. 

In an earlier blog post, we covered the basics of CCOE: what a Cloud Center of Excellence is and why it’s important. Now, let’s explore the tactical ways to set up a Cloud Center of Excellence (CCoE), the key metrics you should use to measure its success, and what cloud operations chaos looks like for DevOps teams without a CCoE.

4 Key Metrics for Measuring CCoE Success

Instead of handling security, cost management, and governance differently for each cloud provider, CCoE establishes a common set of policies and practices. This means teams apply the same security measures, track resource usage more efficiently, and ensure compliance with industry-specific regulations, such as PCI DSS, HIPAA, or SOC2, across all cloud providers.

That’s great, of course, but how can you be sure your CCOE is working for you, and how can you measure success?

To ensure that your Cloud Center of Excellence (CCoE) works well for your teams, you need to track the right KPIs. 

Here are some of the key metrics that will help you evaluate whether your CCoE is meeting its goals — or not.

1. Cloud Spend vs. Budget

You can effectively manage cloud costs by closely using cloud usage, tracking your spending and comparing it with your budget using tools like AWS Cost Explorer. A Cloud Center of Excellence (CCoE) focuses on identifying and managing underutilized resources. For instance, if an EC2 instance is running but not being used, CCoE policies and tools can help detect these instances and prompt teams to shut them down to reduce expenses. Additionally, switching from standard EC2 instances to Graviton instances can further optimize costs, as Graviton options are often more cost-effective for certain workloads.

Similarly, if you have any rarely accessed data within your S3 storage, the CCoE can suggest moving that data to more cost-effective options like Amazon S3 Glacier or S3 Intelligent-Tiering, which are designed for infrequently accessed data and are much cheaper. 

By actively monitoring resources, a CCoE ensures cost-effectiveness by keeping your cloud infrastructure running efficiently and within the organization’s budget. Tools like AWS Cost Explorer help track and analyze cloud spending, which allows teams to set budget thresholds. Additionally, AWS provides alerts when budgets are exceeded, enabling the team to proactively take action.

2. Resource Utilization Efficiency

This KPI measures how well your cloud resources are used within your infrastructure. It focuses on identifying whether resources are over-provisioned or under-provisioned and provides suggestions on how to better align them with actual workload demands, ensuring cost-efficiency and optimal performance. A well-functioning CCoE ensures resources match the workload without wasting the capacity of any resource.

For example, if you have an EKS cluster where certain nodes are running at 10% CPU usage for most of the day, it’s likely over-provisioned. The CCoE can recommend rightsizing by switching to smaller node types, using Auto Scaling to adjust capacity based on actual demand, or even leveraging Spot instances for workloads that are flexible with interruptions, further optimizing costs. On the other hand, if your database nodes are consistently out of memory, the CCoE should suggest increasing the size of the nodes or adding more capacity to handle the load efficiently.

By continuously monitoring resource utilization, the CCoE ensures that your cloud resources are right-sized, which not only optimizes efficiency but also contributes to cost savings by preventing unnecessary over-provisioning. Ignoring resource utilization can lead to inflated costs and potential performance issues, as under-provisioned resources may struggle to meet demand.

3. Security and Compliance Audit Scores

This KPI tracks how well your organization meets essential security and compliance standards like PCI DSS, SOC2, or HIPAA. A Cloud Center of Excellence (CCoE) sets consistent guidelines and frameworks for applying these standards across all platforms, from AWS to GCP and Azure. For instance, if processing sensitive financial transactions, the CCoE ensures encryption policies align with PCI DSS and mandates regular security audits. Similarly, for healthcare data, the CCoE enforces HIPAA compliance with strict access controls and data protection measures to maintain regulatory standards. Without centralized compliance tracking, organizations risk severe security gaps and regulatory issues; managing compliance manually becomes impractical, especially with multiple datasets or a large client base.

Audit results often reflect how well these standards are being followed. A third-party audit score of 85 or higher typically reflects strong security practices within an organization. This score indicates that essential security measures are in place, with a focus on data breaches, and ensuring compliance with regulations. 

Consistently achieving strong audit results shows that your CCoE is effectively managing security and compliance for cloud projects, keeping your cloud environments safe and in line with the industry’s regulations.

4. Deployment Speed and Error Rates

One of the main goals of a Cloud Center of Excellence (CCoE) is to ensure smooth and consistent deployments across all cloud environments. By standardizing Infrastructure as Code (IaC) and enforcing security policies across your infrastructure, a CCoE helps prevent errors during deployments and cloud migration, reducing the risk of outages or operational issues.

Error rates serve as a key metric, measuring the percentage of issues that occur during deployments. For example, if an update causes an application to crash or introduces bugs, it reflects a high error rate, indicating potential reliability issues. By establishing best practices and automating testing in the deployment pipeline, the CCoE helps catch and resolve issues early. This approach leads to smoother operations, minimizes downtime, and keeps your cloud infrastructure running without interruptions.

Regularly monitoring these metrics helps identify areas that require improvement and allows for early detection of potential issues. This approach enables proactive adjustments to enhance performance and business value and reduce risks over time.

Cloud Operations Without CCOE: A Look at the Day-to-Day Struggles

Without a CCoE, teams often face issues that may complicate day to day cloud operations, causing inefficiencies, deployment failures, and also increasing costs. Let’s break down these problems and how they impact your own cloud strategy and operations.

Challenge #1: Managing resources across multiple cloud platforms without centralized visibility

When DevOps teams manage their cloud infrastructure across multiple cloud providers, such as AWS, GCP, or Azure, it becomes a bit challenging to manage your resources. For example, you might be using storage services on both AWS and Azure, and without a centralized system, it’s a time-consuming process to determine which storage buckets or blobs are still in use or if the configurations are aligned with the organization's guidelines. Additionally, any outdated or unused data causes compliance issues or unwanted costs. A common scenario could involve teams paying for multiple storage solutions across platforms, only to realize later that certain data could have been archived or deleted, which would have reduced unnecessary expenses. This lack of centralized visibility makes managing resources much more difficult.

Challenge #2: Inconsistent security and governance policies

Different cloud platforms often need specific security configurations, and without a unified approach, these rules can become inconsistent across your infrastructure and cloud technologies. For example, AWS uses IAM roles to control access to S3 buckets, while Azure manages access to Blob storage through Azure RBAC permissions. If these configurations aren’t managed consistently, some resources could lack proper protection, leading to security gaps.

Challenges #3: Delayed deployments and increased errors due to manual infrastructure provisioning

Without proper checks in place, setting up or updating infrastructure can slow down deployments and increase the chances of errors. For example, if your team configures servers, networks, or permissions directly in the cloud provider’s console, there’s a greater risk of missing some important configurations like firewall rules or security configurations. This can lead to extra troubleshooting after deployment, where connectivity problems or failed launches surface due to overlooked steps. Putting consistent checks in place helps ensure all critical settings are correct, reducing the risk of delays and unexpected issues.

Challenge #4: Difficulty optimizing cloud spend within the infrastructure

Without proper monitoring, cloud spending can quickly get out of control. For example, Kubernetes clusters might continue running on high-cost instances even when more affordable options could handle the workload. A common issue might be a team using expensive compute instances like AWS EC2 r5.2xlarge for Kubernetes nodes in development environments, without realizing they could switch to less costly instances like t3.medium. This leads to unnecessary spending, as the powerful instances aren’t needed for lower-demand tasks. A Cloud Center of Excellence (CCoE) helps keep cloud spending under control by regularly forecast cloud demand, reviewing resource usage, setting up cost alerts, and optimizing resources to match actual needs.

Now that we’ve looked at the challenges teams face in managing cloud environments and keeping costs under control, it’s clear that a centralized solution for tracking security, compliance, costs, and monitoring of cloud initiatives is important, especially in multi-cloud setups. Tools like Firefly provide a unified platform to manage cloud infrastructure, helping address these common issues by maintaining consistency, visibility, and control across complex environments.

Using Firefly to Build the Best Cloud Center of Excellence

Firefly makes managing your cloud infrastructure much easier by helping you control costs, optimize resource usage, and strengthen security and compliance. Firefly provides a unified dashboard that gives you a clear view of your cloud operations, allowing you to manage complex tasks across multiple platforms seamlessly. 

With Firefly, you can implement Cloud Center of Excellence (CCoE) principles more effectively, creating a cloud environment that is organized, secure, and cost-efficient across your infrastructure — and that addresses key challenges DevOps teams face without a CCOE.

Unified Dashboard: For Managing Resources Across Multiple Cloud Platforms

Firefly’s unified dashboard brings all your cloud resources together in one place, providing complete visibility across your infrastructure. 

What would life look like without it? You would have to write script using PowerShell, shell, or other tools just to gather a full inventory of resources: a time-consuming and error-prone process. 

With Firefly, you can easily monitor resource usage, optimize costs, and spot unmanaged resources, reducing the risk of unnecessary expenses and overlooked assets. This centralized view streamlines resource management, making it easier to maintain an organized, efficient, and secure cloud computing environment.

Additionally, the dashboard centralizes all your IaC stacks in one place, whether you’re using Terraform or CloudFormation, meaning that teams no longer need to switch between multiple dashboards or tools. It provides a clear view of all your IaC coverage, categorizing resources as Unmanaged, Ghost, Codified, and Drifted.

By organizing resources in this way, Firefly helps you improve your Cloud Center of Excellence (CCoE) by providing the deep insights needed to manage cloud infrastructure more effectively. Teams can identify unmanaged or drifted resources and take action, ensuring that everything is properly codified and aligned with best practices. This keeps your cloud environment more secure and compliant while supporting the goals of a strong CCoE as well as cloud adoption.

Automating Workflows: For Better Resource Utilization

Firefly’s workspaces make managing your cloud environments much easier just by automating deployments and making sure that everything is consistently set up. 

Without Firefly’s workspace automation, teams might face challenges in managing Terraform workflows consistently. This can lead to different standards across deployments, increasing the chances of mistakes and higher costs. Firefly’s automation adds guardrails to each Terraform task, automatically enforcing security, compliance, and cost control standards to keep your cloud environments organized and aligned.

These guardrails makes sure that every deployment follows the same rules, reducing errors and helping teams meet Cloud Center of Excellence (CCoE) goals. Firefly also includes cost estimation checks, giving you a clear view of expected spending and helping you make cost-effective decisions across all workflows, not just new ones.

Now, let’s walk through how you can enhance your Cloud Center of Excellence (CCoE) approach by using Firefly’s Workspace feature and automation within your CI/CD workflows.

Firstly, go to workspaces in Firefly and click on Add New Workflow to set up your automated deployment process.

Select Terraform (or your preferred tool) to manage your cloud resources. This ensures that all the deployments happen consistently and automatically within your infrastructure.

Give the workspace a name, like development, testing, or production. This helps you keep track of different environments and link Firefly to your GitHub repository where your Terraform code is stored. This helps track any changes to your infrastructure using pull requests. You’ll also choose the branch where the changes will be applied, like the main branch.

Double-check the details of the workflow. This includes the Terraform configuration, variables, and settings for your deployment pipeline. Make sure everything is correct and ready to be deployed.

Once everything is in place, click on Create PR. This will open a pull request in your connected GitHub repository. The pull request will automatically run terraform plan, giving you a preview of the infrastructure changes.

Now that your workflow is set up perfectly, Firefly will give you a clear view of your infrastructure plan. It shows what resources will be created and also flags any policy violations. For example, it checks tag coverage that is 100% in the above plan and highlights any security issues, making sure every resource follows your Cloud Center of Excellence (CCoE) standards.

You also get a cost estimate, helping you keep track of spending and avoid any budget overruns. 

Adding Guardrails: To Enforce Security and Compliance Automatically, for Every Deployment

Firefly’s guardrails feature helps you ensure that your deployments are secure and compliant with your organizational policies. A guardrail acts like a safety net during your cloud infrastructure deployments, automatically blocking any non-compliant actions or configurations. For example, it can prevent sensitive data from being publicly accessible by detecting when a policy is violated and stopping the deployment. This makes sure that your deployments follow best practices for cloud security and governance, aligning with the goals of a Cloud Center of Excellence (CCoE).

To get started with guardrails:

Go to the Guardrails Wizard in Firefly, where you can set rules based on policy, cost, resources, or tags.

Select the policies you want to enforce. 

You can also set up notifications, sending alerts to channels like Slack if any violations occur during deployment.

Now that the guardrails are set, any workspace violating the defined policies will be blocked from proceeding, as shown in this example. Here, a test workspace violated several policies, including assigning a public IP to an EC2 instance and lacking instance monitoring. These violations are flagged and categorized by severity (e.g., Medium, Low).

In this case, the guardrail blocked the deployment due to non-compliance, making sure that no misconfigured or insecure resources were introduced into the environment. By receiving immediate feedback, your team can resolve these issues before they cause any real damage, keeping your cloud infrastructure aligned with security and compliance standards.

This automatic blocking of non-compliant configurations strengthens your CCoE’s ability to maintain control and governance across your cloud environments without relying on any interventions from your end.

Cloud Governance: For Policy Enforcement and Compliance

Firefly’s governance capabilities helps us organize and enforce policies to build a strong Cloud Center of Excellence (CCoE). By categorizing resources based on different criteria like best practices, encryption, and network security, Firefly allows you to easily manage your cloud resources and track their compliance. 

Without this feature, teams would have to check every cloud resource one by one using different cloud consoles. They would need to make sure things like encryption and access controls are correct by reviewing each resource by themselves.

With Firefly, everything is tracked automatically, so you save your time and reduce the risk of errors.

Firefly provides several categories to help you separate resources, such as:

  • Encryption: Ensures that sensitive data is encrypted to meet security standards.
  • Networking and firewall: Focuses on securing your network configurations and firewall settings.
  • Misconfigurations: Identifies resources that are improperly configured, like open ports or non-encrypted storage.
  • Reliability: Helps monitor the stability and availability of cloud resources, ensuring everything runs smoothly.
  • Best practices: Flags resources that don’t align with industry standards and best practices.

Once your resources are organized, you can apply various governance frameworks that help enforce policies and meet compliance standards. Firefly supports several major frameworks:

  • PCI DSS: The Payment Card Industry Data Security Standard makes sure that a cardholder's data is always protected with proper access controls and security measures.
  • SOC 2: The Service Organization Control 2 focuses on the privacy and security of customer data in cloud environments.
  • HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive patient data in healthcare systems by ensuring secure access and storage.
  • NIST: The National Institute of Standards and Technology establishes security standards for handling sensitive information, especially in regulated industries.

Without Firefly, teams often rely on cloud provider tools like AWS Config or Azure Policy to monitor compliance and security, which requires configuring individual rules for each service. For example, they would need rules to ensure S3 buckets are encrypted or check if any EC2 instances have public access. Additionally, they would have to monitor multiple dashboards, manually track compliance reports, and review logs for policy violations across different cloud services and platforms. This process is time-consuming and increases the risk of missing potential issues, leading to slower responses to problems.

Firefly simplifies this process by automatically applying these rules across your entire cloud environment and ensuring continuous compliance without the need for any intervention from your end. This way, you can maintain governance and meet compliance standards more effectively.


Want to see Firefly at work for yourself? Request a demo or explore our sandbox environment on your own time.