Cloud governance.
You may hear about this concept all the time. But, what does it truly mean? And, why is it so important?
Cloud governance is comprised of the people, process and technology deployed to ensure the services (e.g., infrastructure, software, data and platforms) consumed in the cloud are secure, cost-effective, available, scalable and consistent with an organization’s business strategy.
It’s easy to consume cloud resources. Vendors intentionally do that. But, it’s difficult to govern consumption across the enterprise. So, policies, procedures, standards and organizational controls are critical.
Implementation of a Cloud Governance Plan serves as a framework to control costs, support compliance requirements and provide operational stability.
Before entering the cloud realm, it’s wise and essential for you to develop a Cloud Governance Plan. If you’re already in the cloud, it’s even more important to get a Cloud Governance Plan in place.
But, what is it? How do you create one?
Fear not. We’re here to help!
Importance of Cloud Governance
In the past, the speed of deployment depended heavily on your IT department’s ability to spin up new resources. They had control of over what technology was selected and when it would be implemented. Timelines could extend into months, often exceeding the time horizon required by the business.
With cloud, consumption decisions can be made in a decentralized manner. And fast! Non-IT people can buy with just a credit card. Cloud-based resources can be spun up in minutes. (Yes, in minutes!) It’s not the province of the cloud vendors to make sure what has been purchased is in line with the IT strategy or suits long-term goals for integration and data consistency.
As organizations compete in marketplaces that value business agility, speed and time-to-market, these forces are at odds with traditional, IT-driven, standard processes aligned to compliance, control and security. The cloud is the right solution at the right time. But, only if managed correctly.
Yet, your managers need a way to enforce best practices, perform integrity checks, and validate compliance (internal and external). And, these control measures must be achieved without hindering speed and agility.
You may quickly find your cloud environment spiraling out of control. There’s no way you and your team can keep up without a cloud governance strategy. This is a primary reason why cloud governance is so critical.
And, there are many other reasons.
“You Can’t Manage What You Can’t Measure”
This is a timeless and classic quote by Management Guru Peter Drucker. Leading cloud service providers recommend their customers move existing multiple-tenant workloads into single, distinct cloud accounts for each workload and/or organization. Perhaps Finance gets its own account. Same for Sales. This enables granular visibility on consumption and cost.
Today, using multiple accounts to manage distinct cloud workloads is considered a best practice to deliver precise access control and cost management. It also limits the security and financial blast radius in case of an issue or breach.
An effective governance strategy can help organize the volume of accounts your organization needs. Meanwhile, it supplies visibility around key cloud activities, consumption, costs and trends.
Governance Helps Curb Shadow IT
When you don’t know what systems are in use, or even where company data lives, you increase risk and costs. Employees typically turn to shadow IT when they are stalled or stymied in getting access to resources, so they can do their job in the timeframe they need.
Cloud governance helps put in place the required framework to easily request and access cloud resources, which are approved, standardized and on an “ordained” catalog. It then gives team members access to the breadth of allowed cloud resources, within compliance and budget constraints.
You reduce employee frustration and the likelihood of a team member using a personal cloud account out of convenience. In the process, you raise leadership confidence in the move to the cloud.
Governance Reduces Risk
Whether it’s exposed data, non-compliance with policies or regulations, or cost overruns, there are risks when running in the cloud without the “guardrails” provided by a Cloud Governance Plan.
A cloud governance solution can help ensure data storage resources have proper controls to keep them private in the cloud. The faster the storage, the more it costs. So, governance can ensure data is retained on cloud storage devices appropriate for the need.
Cloud vendors are intensely attuned to major compliance requirements, such as GDPR, PCI, DSS, HIPAA and FedRAMP. However, the Cloud Governance Plan assists your organization in taking advantage of the vendor’s compliance capabilities. This will not just organically happen.
Ultimately, it’s your responsibility to prove compliance, not the cloud vendors. So, governance must address how organizational controls are defined and practiced, using cloud resources.
Governance Reduces Labor
Cloud spend, consumption, security, access and compliance tracking are a daunting task.
However, a Cloud Governance Plan establishes the processes and means to leverage vendor-backed process automation and reporting. Cloud governance establishes rules to control access, manage budgets and enforce approvals.
The result? Reduced cost of labor and lower costs.
In addition, complete governance solutions provide enforcement actions. This allows you to do away with necessary follow-up actions after you receive an alert. Preventing budget overruns and non-compliant activities saves time and effort.
Labor savings means more time to focus on value-add, mission-delivering activities.
Now that you’ve decided you need a Cloud Governance Plan, let’s get you started.
How to Implement Cloud Governance across the Cloud Journey
As you will read below, cloud governance is an iterative process. The people, processes and technology required to properly implement cloud governance depends on which phase of the cloud Journey you’re travelling. And, each successive stage builds on the previous one.
Awareness
Organizations in this stage have zero cloud structure and still rely on assets located on-premises. There may be a cloud strategy that’s been developed, but actual transition is at a nascent stage.
Getting started with governance in this phase requires the establishment of a cross-functional steering committee, the definition of the governance model, and the implementation of some basic process automation.
Additionally, an audit and documentation of existing systems is required.
Early Adoption
At this phase, organizations have developed policies matched to their processes. They have a cloud team in place and have scoped out costs and other architecture details. They are experiencing rapid cloud deployment.
Good governance during this phase requires a cloud steering team, additional process definitions, and the addition of orchestration and templates, which govern resource creation.
Mature Adoption
In this final phase, organizations reap the rewards of the efforts they applied during the previous two phases. Cloud management is now fully automated, which means the infrastructure responds automatically to changing conditions and is responsive, agile and scalable. The cloud governance framework ensures security and compliance.
| PHASE | Awareness | Early Adoption | Mature Adoption |
| PEOPLE | Establish Cloud Governance Committee – Executive Sponsor (CXO) – LOB Leaders – Compliance – Security – IT/Operations – Legal | Establish Cloud Steering Team – Chief Cloud Officer – PMO Lead – Business Relationship Mgr. – Architecture Leads – Engineering Leads | Governance Steering Team and Governance Committee meet regularly and add new members, as appropriate. |
| PROCESS | Define Governance Model and Baseline Policies – Account Management – Security & Networking – Service Management – Monitoring & Reporting – Audit & Document Existing Systems | Define Additional Policies – Self Service – Data Governance – Audit & Compliance | Mature Policy Model – Auto Scale Up/Down – Utilize Lowest Cost Infrastructure – Power Up/Down – Load Balancing |
| TECHNOLOGY | Basic Process Automation – Automated Ticketing – Cost Optimization | Optimized Automation – Orchestration – Templates | Mature Automation – Full DevOps – Automated Integration/Deployment |
technology across each of the three phases to achieve cloud governance.
Cloud Governance in Action
Cloud experts like System Soft Technologies (SSTech) recommend a cross-functional approach to continuous improvement and management. That’s because cloud governance isn’t a destination, it’s a journey. And, the Cloud Governance Plan is your first step. Continuous improvement requires a centralized Cloud Governance Committee, which works with IT and the key business areas consuming cloud-based services.
This cross-functional team can identify common practices and requirements. The team also acts as consultants across separate groups. An operational extension of those teams, the cloud management function can help with standardizing practices, defining standards and automating policy enforcement.
In highly distributed and siloed organizations, it’s especially helpful to assemble a community of practitioners who can exchange best practices.
Communications for this may take the form of wikis or Teams channels, for example. We recommend the team meet on an ongoing, quarterly basis to assess compliance, review potential vulnerabilities, and make improvements to the processes.
The final component required for successful cloud governance is the management solution, which helps monitor and define policies. This solution must measure your cloud environment on both a granular and aggregate level. It needs to identify trends, while breaking down cost, usage, performance and security by the various teams consuming resources.
Lastly, this solution must enforce predefined policies, monitors for when the infrastructure is in violation of the policy, and alerts to appropriate individuals within your organization.
For example, you may have a policy that states virtual machine snapshots must be deleted after four weeks for both cost savings and compliance purposes. Without a centralized platform to continuously monitor snapshot age and delete the snapshots when they reach the limit, the policy is impossible to enforce. That increases both your costs and risk of compliance related fines and penalties.
Manual policy checks won’t scale and are prone to human error. Central management teams must provide tools to automate security checks, monitor usage and automatically spot and flag improper usage.
Take the Next Steps
Whether you’re still exploring the idea of taking your business to the cloud or you’ve decided to make the leap, a Cloud Governance Plan is an essential ingredient to your business success.
No. It cannot be overlooked or rushed. So, connect with people across your organization. Build your cloud dream team. And, discuss the key issues at hand.
Here’s a list of questions to help get the ball rolling:
- Do you feel like you have enough expertise to develop your Cloud Governance Plan, or do you want to bring in an outside cloud consultant?
- What assets and systems do you currently have deployed to the cloud? Which ones are you hoping to deploy in the future?
- What security policies impact your cloud governance?
- How will you monitor and control employee access to cloud assets?
- What compliance audits do you need to plan for? How can you work those into your cloud governance framework?
- Who will create and maintain your cloud architecture? How can you make sure this information is available to those who need it?
- How regularly must this core cloud team meet, ensuring your cloud governance remains agile and responsive?
Exploring these questions will help your team develop the best cloud governance for your organization. The answers will also spark innovative ideas for other details you must consider.
As you’ve read so far, cloud governance is a complicated topic. But, it’s also the key to leveraging the potential of the cloud in a secure, scalable and cost-efficient manner.
Not sure where to begin? System Soft Technologies’ Cloud Governance QuickStrike assesses and documents your current environment to establish a baseline. This baseline will identify how your current configuration stacks up against best practices.
Then, we collaborate with your business and IT leaders to define the desired future state and develop a Cloud Governance Plan, allowing you to remediate gaps and mitigate risk.
If you already have a Cloud Governance Plan, let’s review it, so we can make it better. Our skilled, professional cloud consultants and industry-leading tools will help drive your business success.
About the Author: Don Bilbrey
Don Bilbrey serves as Senior Solutions Architect at System Soft Technologies. A technology nerd, Don knows his stuff when it comes to systems and storage solutions. He’s a people person, too, showcasing his humor and wit as he energetically manages the service delivery needs of large enterprise customers.