The best practices for governance in the cloud for AWS and Azure apply to any business that uses any combination of cloud services from any combination of cloud service providers, whether the business operates in a single cloud, multicloud or hybrid cloud environment.
Before discussing best practices for governance in the cloud for AWS and Azure (or for any cloud service), let’s define cloud governance and discuss why it needs best practices. The reason being that the terms “cloud governance” and “cloud management” are often used interchangeably, and what might be a best cloud governance practice may not necessarily be a best cloud management practice.
In Forrester’s “Adapt Your Governance Framework for the Cloud” report (paywall), governance is defined as “the ability to provide strategic direction, track performance, allocate resources, and make adjustments to ensure that organizational objectives are met without breaching the parameters of risk tolerance or compliance obligations”. This definition applies to the governance of a cloud-based IT infrastructure as much as to the governance of an on-premises IT infrastructure.
According to Forrester, cloud governance is creating the rules under which a business operates in the cloud, monitoring activity to ensure compliance with the rules and adjusting them as necessary to achieve the business’s cloud operation objectives.
The report also says that businesses migrating from an on-premises IT infrastructure to a cloud-based IT infrastructure must adapt existing governance policies to effectively manage cloud services without devaluing the benefits of the cloud—noting that while it’s relatively straightforward for businesses operating a solely on-premises IT infrastructure to manually enforce governance policies, governance is much harder to enforce in a rapidly-evolving, decentralized cloud environment.
It’s because governance is much harder to enforce in a rapidly-evolving, decentralized cloud environment that best practices for governance in the cloud are necessary. When businesses operate a solely on-premises IT environment, there are limits to how far users can deviate from the “strategic direction”. In the self-provisioning environment of the cloud, these limits don’t exist. Therefore effective governance is essential to ensure control is maintained over costs, performance, and security.
The objectives of best practices for governance in the cloud are to maximize visibility, maintain control, and ensure compliance. Consequently, best practices not only relate to optimizing costs and performance, but also to establishing safeguards for any cloud-related event that may impact operations, finances, and security.
Without cloud governance best practices that cover every aspect of a business’s cloud activities, the risk exists of a “Shadow IT” environment developing. There is no doubt Shadow IT can have its benefits, but the uncontrolled use of unapproved assets creates numerous weak spots, leads to inefficiencies (both financial and operational), and allows cybersecurity threats to go unidentified. In 2011, Gartner predicted 35% of IT spend will be managed outside the IT department due to Shadow IT.
What are the Best Practices for Governance in the Cloud?
The exact best practices for governance in the cloud vary according to each business’s specific objectives and at what stage the business has reached in its cloud journey. Typically the execution of best practices relies on being able to see what the business’s assets consist of, analyze performance against costs, and address risks. In order to achieve this, businesses should conduct an inventory of their on-premises and cloud-based IT resources.
Each resource needs to be tagged in order to allocate costs and identify trends. At this stage, it’s important to implement and enforce a global tagging policy, so costs and performance are accurately analyzed. To help with this process, we have written a companion blog - “8 Tag Categories You Must Include in Your Cloud Tagging Strategy”—and would add it’s important businesses using a multicloud strategy make sure they are aware of each cloud provider’s tagging limitations.
Thereafter, with total visibility of the business’s resources, governance policies are easier to create. However, as Forrester points out, governance is much harder to enforce in the cloud. Therefore, in order to monitor cloud activity and enforce governance policies, many businesses are relying on cloud management platforms such as CloudHealth which have the capabilities of automating the governance process and alerting businesses to violations of governance policies.