Reduce risks with the right cloud governance strategy

Whether you are just stepping into the cloud, or you’re already fully immersed, chances are you’ve heard the term ‘cloud governance’.

What do we mean when we talk about governance in the cloud and why does it matter?

Cloud governance is the development and implementation of controls to manage access, budget, and compliance across your workloads in the cloud. At first glance, this definition may sound a lot like the definition of IT governance, just ‘in the cloud’. It’s tempting – especially in an organization’s early days of cloud adoption – to attempt to apply traditional IT governance methods to the cloud.

Where traditional IT governance goes like this:

With Cloud governance, you want to get to this:

What is the definition of cloud governance?

Cloud governance is essentially a framework to govern the use of cloud services in your organization and help your users/consumers to access those services in a controlled way.

While cloud adoption encompasses people, processes, and technology, cloud governance needs to bring under control these dimensions, while ensuring security, cost management, and deployment acceleration.

It is an important step in the cloud journey: as cloud adoption progresses inside the organization, new technology and business risks are surfacing out, so a cloud governance framework brings these risks under control along with enforcement of organizational standards.

Where do we start?

The initial activity is to identify organizational risks around 3 key areas: cost management (e.g. risk of losing budget control), security and compliance (e.g. risk of a data breach due to missing or inconsistent security control) and deployment & operations (e.g. risk of service disruption due to inconsistent resource deployments). These risks will feed the initial definition of policy statements with the objective of bringing those risks under control. Policy statements will have associated processes to monitor ongoing policy adherence and compliance.

Risks and mitigation examples

The three disciplines of cloud governance can be seen in action with the examples below:

Cost management: delegating cloud deployment control with self-service capabilities to distributed internal or external teams can lead to uncontrolled spending. A policy statement can mandate the application of mandatory tags to assign cost dimension tags or assign fixed budgets to send notifications or stop the resources in case the issue is not taken care of.

Security & Compliance: the organization might be subject to use only certain data centre regions, hence deployments in non-authorized data centres might result in compliance issues. A policy statement and technical implementation can solve this issue by restricting the deployment regions.

Deployment & Operations: resources might be over or under-provisioned, as well as have the wrong naming convention applied or inconsistent settings. To prevent this issue a policy statement and DevOps approaches can come to the rescue by automating the deployment and ensuring that the correct naming conventions and settings are applied.

Cloud governance incorporates business and technical risks, along with existing organizational standards as input to build a set of policies and processes.

This set of policies and processes is focused on:

  • Cost management

  • Security and Compliance

  • Deployment and operations

To mitigate the risks and enforce the standards to respect company compliance directives.

Once policies and processes are defined the technical implementation can take place by using the appropriate tools for each of the cloud governance areas.

Cloud Center of Excellence

The Cloud Governance Framework is owned and operated by a specialized virtual team, called the Cloud Center of Excellence (CCoE).

Governance is just one of the functions of this team. Its ultimate mission is to promote cloud adoption through an efficient governance framework, organizational skills transformation, platform selection and external partnerships.

Organizations can no longer wait to build every policy and process to tackle every aspect: as businesses move quickly also IT governance must adapt and keep the pace using an incremental governance approach.

Minimal Viable Product

Incremental governance relies on a small set of corporate policies, processes, and tools to establish a foundation for adoption and governance. That foundation is called a minimum viable product (MVP).

An MVP enables the governance team to quickly incorporate governance into implementations throughout the adoption lifecycle and continuously update it to tailor the framework.

We saw in this article how cloud governance is not an abstract framework, instead, it is a concrete set of policies and processes, coupled with the corresponding technical implementation, that brings organization risks under control. The MVP approach ensures also that the implementation of the framework is adapted to the cloud adoption pace of the organization: there is no need for building upfront a huge set of policies and policies that will never be applied because too slow or complex. Agility is the new paradigm that goes in line with the iterative development of the cloud governance framework.

How can we help you?

At Stellium, we have supported many companies in the definition and implementation of their cloud governance strategy and framework, we can help you to analyze your current situation and identify the necessary steps to have a proper cloud governance framework and methodology.

Would you like to get in touch about cloud governance? Go ahead and set up a free online appointment with us for a consultation call.