IT governance is focused on the policies you apply when using services, software, and hardware. When it comes to the cloud, governance plays a vital role in compliance, security, cost control, and performance. It can help you rein in shadow IT, keep an eye on internal and provider SLAs, and add accountability.
Ultimately cloud governance is not incredibly different from general IT governance. Most IT departments likely adhere to some form of governance policy for data center or infrastructure assets, ensuring that hardware and software deployments are used according to company policy, that they are tracked and maintained, and that they are providing useful value.
Your governance policy should take cloud services specifically into account, with different protocols depending on Software as a Service and Infrastructure as a Service as deployed by IT. SaaS apps are extremely commonplace and may be used without the knowledge of IT, a practice known as Shadow IT.
Governance in the cloud can be difficult because of its distributed nature. It is not always clear who is accountable for a cloud service, for example: the service provider? The IT department? The user? All three are responsible for some level of security, but without a governing policy to refer to, it is difficult to enforce security and privacy.
The same goes for performance. When you have an IaaS environment, clearly a certain level of performance and availability falls on the provider, which should be clearly defined within the SLA. Your administrators may degrade performance without careful use of the VMs by overprovisioning or bottlenecking network traffic inadvertently.
Finally, compliance issues can rear their head without a corporate cloud governance policy, especially with the proliferation of Shadow IT. In a compliance-mandated industry like healthcare, data must be tracked and access to information must remain under control of IT in order to maintain compliance.
The governance policy should be created and regularly reviewed by a team of both business executives or managers and IT experts. They will create a set of policies and guidelines that will be mandatory training for every employee, perhaps with an IT-specific section.
These rules often include the ways in which cloud infrastructure meets and is impacted by business activities. For example, compliance and regulatory mandates often affect how information systems are managed and deployed.
Uptime expectations as defined by business requirements are a common item to include. Different tiers of applications might be designed according to how critical a given application or data set is to the daily success of the business.
Another important policy would cover deployment of web applications. Often times IT laments their lack of control when departments launch their independently managed SaaS environments, using their own budgets, as data visibility and security is lost. Your cloud governance policy must describe exactly how and when SaaS is acceptable. If you wish to clamp down on shadow IT, then include a process for requesting new IT-sanctioned apps to meet a new business initiative.
Other factors include standards for design of infrastructure, resilience, backup / disaster recovery, monitoring infrastructure and applications, and programming standards. Security must be factored in — a cloud governance policy almost always includes a specific way to access cloud services, usually a central login point. More sensitive data and specific applications may be limited only to relevant employees with the correct authorization and permissions level.
The complete cloud governance policy should be a road map for your cloud consumption. How do you plan a new deployment? Where do you gather proposals from service providers? Who evaluates them? How does you architect the cloud to integrate with other systems? What is the deployment process? How might you switch your applications from one provider to another? How might you transfer from a cloud back to on-premise, if necessary?
This plan operates across four levels of cloud governance:
It must consider four operations categories at each of those levels:
Examine each of the levels of governance and how each operations category works within them. This is a great launch point for your cloud governance policy.
Without a strong policy guide, a lack of cloud governance can lead to security holes, cloud sprawl, integration problems or information silos, shadow IT, and redundant, expensive applications. If you lack a cloud governance document, now is the time to start crafting one.