How Dedicated Account Delegation Helped CrowdStrike Manage Costs
In the ever-evolving landscape of cloud technologies, balancing robust security with effective cost management is no easy feat. CrowdStrike, known for its prowess in cloud-delivered endpoint and workload protection, recently embarked on an innovative journey to achieve this balance. Their story reveals a strategic synthesis of security and financial operations that other organizations might emulate—especially those operating at a large scale.
The Need for a New Approach
As CrowdStrike’s technological footprint expanded on Amazon Web Services (AWS), they encountered a pivotal challenge: maintaining stringent security while empowering their IT FinOps team with the tools necessary for comprehensive cloud financial management. The IT department’s reliance on tools like AWS Cost Explorer and AWS Compute Optimizer was critical; however, this often necessitated broad management account access, an unsettling prospect given the rising security risks.
Security-First Financial Management
At the core of AWS Organizations lies the management account, tasked with the orchestration and financial oversight of member accounts. For CrowdStrike, this account held the keys to extensive operational control, allowing the creation and integration of various accounts, delegation of administrative roles, and policy enforcement. Yet, granting management account permissions broadly posed a security risk that Countdown was unwilling to take. The solution came in the form of a dedicated FinOps administrative account, meticulously designed to uphold the principle of least privilege.
“By implementing a dedicated FinOps admin account, we’ve eliminated the need for management account access while enhancing our team’s ability to optimize cloud spending. This change has been transformative,” remarks Lorenzo Orsatti, Director of IT DevOps and Infrastructure at CrowdStrike.
Implementing a Technical Blueprint
CrowdStrike devised a multi-tier strategy to achieve their goal. The process was systematic, starting with a definition of FinOps service requirements, proceeding to a consolidated IAM architecture, and culminating in robust governance workflows. Each step was calculated and bore significant fruits.
Step 1: Defining FinOps Service Requirements
Identifying essential AWS services was the starting point. CrowdStrike determined critical tools: AWS Cost Optimization Hub, AWS Compute Optimizer, and AWS Cost and Usage Reports (CUR) were fundamental in their arsenal. These services not only facilitated thorough cost analysis but also empowered them to make informed savings plan purchases and commitments.
Step 2: Optimized IAM Architecture and Service Delegation
The crux of the solution lay in the implementation of a consolidated Identity and Access Management (IAM) framework. This framework forged a dedicated IAM role, wrapping AWS-managed and custom policies into a coherent whole. Delegating services became pivotal—multiple AWS services, including the Cost Optimization Hub and Trusted Advisor, were empowered to operate without direct access to the management account.
Step 3: Governance and Workflows
Efficiency paired with oversight was the mantra that defined this step. CrowdStrike sculpted a governance framework that harmonized rapid financial decision-making with organizational accountability. Central to this was an approval workflow for Savings Plans, where purchase proposals, comprehensive with risk evaluations and savings analyses, flowed from the FinOps team to the finance department before execution.
Establishing an Ecosystem of Best Practices
Beyond technical implementation, CrowdStrike’s foresight in establishing enduring best practices cannot be overstated. Regular access reviews, compliance audits, and role-specific training were instituted to ensure the system’s robustness and adaptability. This structural rigidity ensured a secure yet fluid operational environment.
Conclusion: A Model for the Future
CrowdStrike’s journey in refining cloud financial management showcases a navigable path for others. Their innovative approach to using a dedicated FinOps admin account demonstrates that strategic delegation, combined with rigorous governance, can not only protect but also optimize. It’s a testament to their commitment to security without compromising on financial oversight.
Looking to the future, CrowdStrike continues to invest in deepening this integration, with aspirations of automating more of its optimization processes and embedding them seamlessly into their operational fabric. As they do, they provide a beacon for others—a reflection of relentless innovation and a model for sustainable financial management in the cloud era.