What is Cloud Governance?

June 7, 2023
10 min

The Importance of Cloud Governance

It takes a combination of technology, people, and processes to address overspends, performance inefficiencies, and/or data breaches. This collective application of resources is called cloud governance – a cloud operating model that gives organizations the ability to address issues and optimize cloud environments. In many respects, cloud governance is an extension of on-premises IT governance, yet there are several distinctions to understand before adopting a cloud governance operating model.


The Difference between On-Premise and Cloud Governance

When an organization operates in an exclusively on-premise IT environment, the IT department has responsibility for managing resources, performance, and risk. It consequently has centralized authority on all IT matters such as what resources can be used, how they can be used, and who can use them.

Once an organization adopts cloud computing, responsibility and authority tends to be more decentralized. Due to the self-provisioning nature of cloud computing, anybody can deploy resources in the cloud. And while the effort delivers numerous advantages —better agility, increased flexibility, and scalability — without effective oversight (cloud governance), it can also lead to cost, performance, and security issues.

Additionally, with decentralized cloud governance, organizations no longer have total responsibility for data security. As cloud servers are multi-tenanted, cloud service providers take responsibility for the data security below the level of abstraction, and it is therefore important for organizations to be aware of how a shared responsibility model is applied to different resource types.

Taking Back Control of Decentralized Cloud Environment

The main reason organizations experience overspends, performance inefficiencies, and/or data breaches in the cloud is because of a lack of control mechanism in place as they move away from central management. Without guardrails in place to limit what resources can be used, how they can be used, and who can use them, there’s nothing to stop the use of unsanctioned cloud services by lines of business aiming to “get the job done.”

While the use of unsanctioned services is (in most cases) well-intentioned, users outside the IT department are often unaware of factors such as provisioning requirements, compatibility issues, and identifying vulnerabilities that can be exploited by malicious actors. The same problems can also materialize when users misuse sanctioned cloud services due to a lack of awareness.

Cloud governance helps organizations take back control in a decentralized model by establishing guardrails for cloud activities, enforcing the guardrails, and providing a process for repositioning the guardrails as the cloud evolves, compliance requirements change, or as business objectives are amended in order to meet the competitive demands of dynamic marketplaces.

Developing a Cloud Governance Framework

The first stage of adopting a cloud governance operating model is to develop a cloud governance framework. The framework should be developed from existing on-premises governance policies, because having one set of policies for an on-premises environment and another for a cloud environment will increase the complexity of enforcement and confuse those who must comply with the policies.

However, because cloud governance frameworks should be built out from existing governance policies, there’s no “one-size-fits-all” template for cloud governance. Instead, organizations should first create policies that address the most pressing issues they are experiencing, and then build out from there – taking into account established best practices for operating in the cloud and cloud governance models.

This is where it starts to get complicated, as there are multiple example models on which to base cloud governance frameworks (i.e., COSO, COBIT, ISAE 3402, etc.), and multiple subsets of models that address specific elements of cloud governance (i.e., TOGAF 9.1, ITIL v3, Jericho Cube, etc.). Each model has its own focus and scope and (usually) assumes the organization has not yet started its cloud journey.

Using a Cloud Center of Excellence to Establish Guardrails

A best practice for developing a cloud governance framework is to create a small team tasked with the role of building out existing governance policies to accommodate cloud operations. Ideally, the team should be cross-functional and consist of more than representatives from the just the IT department.

The team should start small and establish minimum objectives. Although it’s a good idea to have a game plan with defined KPIs, setting too many goals at the outset could result in the team failing to meet any objectives due to “analysis paralysis” – a term used to describe organizations trying to solve problems before they exist by looking at too many “what if” scenarios.

The team not only has to develop cloud governance policies, but also the approval processes for repositioning guardrails as required. Therefore, it is important the team is given visibility into the existing use of cloud services and executive support, because it is impossible to control what you cannot see, and support to plan, execute, and govern organizational transformation.

Why it’s Important to Benchmark before Starting

Taking back control in a decentralized model is not going to happen overnight. Therefore, the first task should be to benchmark where the organization is at the start of the project. This will not only help identify the most pressing issues to prioritize but will also be a starting point to demonstrate the progress made by the team to C-level executives.

Each organization will likely have a different starting point. Some will have very limited or no presence in the cloud, while others may have had an unstructured presence in the cloud for many years. Therefore, there is no standard list of metrics to benchmark, although various models recommend taking measurements in the seven following categories:

1. Existing governance

This measurement should include both on-premises and cloud governance (as the two will ultimately become the same) and record such factors as the percentage of compatibility reviews undertaken and the total number of disaster recovery tests run on business-critical applications each year.

2. Existing cloud adoption

This measurement records where the organization is in its cloud journey. Determine the current consumption of cloud services and projects suitable for migrating to the cloud in order to determine what the anticipated consumption will be.

3. Operational efficiency

The operational efficiency category includes such metrics as how long it takes to deploy resources (both on-premises and in the cloud), the average utilization of resources (both on-premises and in the cloud), and the length of time it takes to train users on new cloud services.

4. Cost reduction

The cost reduction measurements are those used to drive cloud governance forward. They compare what the organization is currently spending on-premises and in the cloud against what the organization might be spending in a fully optimized cloud environment.

5. Business value integration

This is the hardest metric to measure because it involves a lot of “what if” scenarios – for example, how much will customer retention improve if the customer has a better user experience. Nonetheless, it is an important metric for measuring the success of the cloud governance operating model.

6. Service-driven integration

This measurement can be used to ascertain how much the organization will benefit by using cloud services to build on its existing on-premises infrastructure. Often it can also be used to determine what type of environment is best suited to the organization (public cloud, hybrid cloud, multi-cloud, etc.).

7. Risk mitigation

The risk mitigation benchmark compares the measures currently being taken to protect data and comply with existing security policies against those required to secure the organization’s existing cloud infrastructure and maintain a secure state when cloud adoption increases.

The Next Step Towards Implementing a Cloud Governance Operating Model

Once these measurements have been taken, it becomes clearer to see what areas of cloud activity require prioritizing and how issues within them should be addressed. It may be necessary to bring new teams members into the review process as priorities change. Ultimately, the team should be as agile, flexible, and scalable as the cloud itself.

Once the priorities have been identified, the next step towards implementing a cloud governance operating model is the development of cloud governance policies – the guardrails that enable an organization to regain control of a decentralized cloud environment. Thereafter, determine which policy violations should be prevented, which should initiate approval workflows, and which should be allowed – but flagged – to prevent stifling innovation.

Examples include:

  • Automatically revoke account access if a cloud account is signed into from an unrecognized IP address or outside of normal working hours.
  • Automatically decommission unused resources such as block storage volumes, IP addresses, and obsolete snapshots.
  • Initiate an approval workflow when a user attempts to deploy an unsanctioned resource (i.e., a resource not permitted by a cloud governance policy).
  • Initiate an approval workflow policy when a cloud monitoring platform (i.e., Azure Advisor) recommends purchasing a committed use discount.
  • Notify budget owners when month-to-date spend is projected to exceed monthly budget.
  • If more than a certain number of resources are deployed by an individual within a day, notify the security team for further investigation.

Integrating Cloud Governance with Business Objectives

While some stages for cloud government could be likened to team management, what distinguishes cloud governance from team management is the opportunity to integrate cloud governance with business objectives to improve overall operations, drive innovation, increase cost/delivery, and make the organization more efficient and competitive.

This tends to happen naturally as ongoing metrics are compared to benchmarks taken before the adoption of the cloud governance operating model. However, if an organization is conscious of the opportunity and leverages policy-driven automation to its full value, the integration of cloud governance with business objectives can be accelerated.

Ultimately, cloud governance will help an organization become as agile, flexible, and scalable as the cloud itself. Consequently, as the cloud evolves and new opportunities emerge – or as statutory requirements or business objectives are revised – the organization can react quickly to changing environments due to the mechanisms put in place to reposition cloud governance guardrails as necessary.

To find out more about cloud governance, visit www.quali.com to start a free trial of Torque, Quali’s Environments as a Service platform for public cloud infrastructure, or to request a demo of CloudShell for on-prem or hybrid environments.