Progress gets made when everyone pulls in the same direction. That’s the purpose of governance — first of corporate governance and then IT governance, of which cloud governance is a component. Governance establishes the decision-making framework and the processes that direct investment decisions and value creation in an organization.
Imagine what would happen without cloud governance. Workers could purchase their own cloud services over the Internet unchecked. Departments would use any Software as a Service (SaaS) they thought they needed, regardless of compliance or interoperability concerns. Access controls and auditability of accounts would be haphazard at best.
Wait. That’s pretty much what is happening.
With more workloads going into the cloud and early steps being taken toward hybrid cloud strategies, cloud governance is becoming a larger issue. Enterprises have complex many-to-many relationships between their workloads, user groups, deployment environments, security zones, departmental usage policies, industry regulations, geographic restrictions, etc.
Cloud governance is essential to maintaining security and control over all that, while also driving effective strategic, business-driven and financial value from cloud service investments.
As IT and business management are all too aware, immediate and serious consequences arise when data is exposed, services crash, regulations are violated, backup plans are overlooked or IT policies are not consistently enforced. The challenge becomes how to create and enforce policies and governance in an automated way, while not making them so inflexible that the productivity and creativity of end users is sapped.
How might policy-driven governance for cloud computing be applied? Of course, it’s not cookie-cutter; each organization will have a governance framework and policies unique to its own situation and goals. By way of example, however, a financial institution or bank using a cloud provider for back-office operations will require that monetary transactions, transaction reconciliation reports, and reports on portfolio holdings and other areas reported to regulators are dependably processed by the cloud provider. In healthcare, governance will specifically include HIPAA compliance and the ability to secure and protect patient information. Other instances may demand having secure communications with trusted suppliers, or knowing that intellectual property or proprietary product designs are safe and secure.
Implementing comprehensive governance and policies internally is difficult enough. Finding cloud service providers (CSPs) prepared to embrace and deliver on governance requirements of concerned customers is a more difficult challenge.
We’ve often said that not all CSPs are created equal. CSPs choose what type of provider they wish to be, including whether or not governance requirements of customers will be an important aspect of their services portfolio. They may choose to be casual about availability, hiding behind the presumption by customers that downtime is a fact of life. They may decide that the cost and effort of multi-tier security, regulatory compliance and independent auditing are not burdens they wish to bear in their high-volume, low-cost business model. Their disaster recovery services, if any, will not satisfy RTO/RPO measures needed to protect and recover personal identifiable information in accordance with industry or government mandates.
At Peak 10, we believe that IT governance is about creating value for stakeholders based on the direction given by those who govern … what is to be achieved by leveraging IT resources. IT management (supply-side governance) is about the “how” of planning, organizing, directing and controlling the use of IT resources. A commitment to having the means by which we, as a CSP and a business and technology partner, can deliver the essential services and capabilities needed is the type of CSP we choose to be.
With the emergence of hybrid cloud frameworks – provisioning and managing varied and multiple cloud instances as a single cloud entity – IT and cloud governance must have reign over the strategy and processes used in the creation of this complex, multi-faceted, many-types “one cloud.” Dynamically adjusting to the optimum set of cloud services at any given point in time is the direction IT and cloud computing are moving. It’s critical that it’s all pulling in the same direction.
Parts 2 and 3 of In Pursuit of “One Cloud” will explore “cloud sprawl” and “cloud consolidation.”