The Importance of Cloud Governance


There is no doubt that cloud adoption is on the rise in the Enterprise. Gartner predicts the worldwide public cloud services market will grow 18% in 2017 to $246.8B, up from $209.2B in 2016. And IDC postulates that by 2018, at least half of IT spending will be cloud-based, reaching 60% of all IT infrastructure, and 60–70% of all Software, Services, and Technology Spending by 2020.

That’s great and all, but challenges persist as Enterprises continue to deviate from the successful cloud adoption playbook by applying legacy processes and concepts to the new paradigm, and are continually ill-advised on how to get there – see our point of view on Why Gartner’s Mode 1 / Mode 2 is Dangerous Thinking blog post from last year.

Take for example the topic of Cloud Governance.

Governance for cloud computing is enabling consistent policy enforcement and ensuring that cloud resources are consumed and operated in a way that is in line with the business goals that drive the cloud transition – agility, efficiency, cost management etc. Because of the on-demand and API-driven nature of cloud resources, the implementation of governance for cloud is not the same as traditional IT governance.

One of these challenges is that Governance is often an afterthought, and it creates significant cloud adoption barriers when trying to retrofit it into a cloud strategy – it should be the core of your cloud implementation strategy.

So what is good cloud governance?

First, lets identify what the absence of governance look like – usually plenty of [public] cloud usage, but:
  • No check on efficient consumption
  • No automatically enforced policy on creation of new cloud resources
  • Can not break down costs into business products, services, application components
  • No auditable account of how a cloud resource was created
  • Unsure of sensitivity of data in cloud storage
  • Unable to tell if cloud resources are appropriately secured
  • Unable to point at any resource and know whether it can be safely terminated
Having a governance policy without any automated implementation and enforcement can also result in an absence of governance in practice; manual reconciliation of costs and security policy may not be possible due to the dynamic nature of cloud resources.

Good cloud governance:

The challenge to implementing the right governance structure is that one can’t just apply legacy IT controls to cloud. A manual approval workflow for creating cloud resources will negate much of the value of automated infrastructure. Here are some things to consider in doing cloud governance the right way:
  1. Define policies for cost accounting, application and data classification, and security/risk posture, and ensure that these are jointly agreed to with business owners, security (CISO), risk management and compliance teams.
    A simple policy example might be that each individual cloud resource must have its cost tracked to a business product or project, and that persistent storage containing critical, regulated data can only be located in a specified geographic location or datacenter.
  2. Require that cloud resources be labeled with sufficient detail to be able to automatically exercise agreed policies.
    Continuing from the policy example, this might require that all cloud resources be labeled with tags meaningful to the ERP platform, and that storage volumes and buckets be labeled with agreed criticality/sensitivity descriptors.
  3. Automate enforcement of policy. This can be implemented with cloud management software, or with purpose-built automation authored by your organization, or a combination of approaches.
    • Ensure that data is placed according to sensitivity / compliance rules
    • Ensure that the appropriate network security rules are in place
    • Ensure that all resources are labeled Apply soft/hard budget quotas as appropriate
    • Forbid / quarantine / alert non-conforming resources
    • Measure performance / utilization
    In our example this could simply be achieved by enforcing labeling through a cloud management platform, and exception reporting on any untagged resources with a view to terminate noncompliant items. Multi-cloud management software that can implement governance policies includes platforms like Scalr, Cisco’s CloudCenter, and Red Hat’s CloudForms to name a few.
With the right governance framework in place, Enterprises can safely embark on their cloud adoption journey. They will be able to:
  • Point at any cloud resource and know its purpose, owner, security classification and budget;
  • Automate security compliance checks
  • Trace back idle resources to owners for action
  • Enable objective data for iterative tuning of governance controls
There is no “one size fits all” recipe for cloud governance; the policies and implementation will vary depending on the use cases and overall IT governance requirements.

And remember, the problem is that Governance is often an afterthought, and it creates significant cloud adoption challenges when trying to retrofit it into a cloud strategy – make Governance the core of your cloud implementation strategy.