The term cloud computing governance relates to the rules under which businesses operate in the cloud and how they’re enforced. The rules should be aligned with the business’s objectives of operating in the cloud, encourage innovation, and mitigate the risks of data loss and regulatory non-compliance.
When a business operates an on-premises IT infrastructure, the “rules of operation” relating to cost, performance, and security are straightforward and easy to enforce. The costs of the infrastructure are mostly capital expenses. The software and applications running in the infrastructure are usually approved and governed by a centralized IT department; and firewalls protect the business’s data.
When a business operates in the cloud, the “rules of operation” may be the same, but they’re much more difficult to enforce. Due to the self-provisioning nature of the cloud, costs are now fluid operating expenses, software and apps can be downloaded with the click of a mouse, and there are no firewalls to protect the business’s data from theft or unauthorized disclosure.
Being unable to enforce the rules of operation create risks. Costs can spiral out of control, Line of Business “Shadow IT” environments develop independent of the centralized IT department, and there are no controls over where data is or how it’s protected - not only placing the business at risk of data loss, but also at risk of non-compliance with industry privacy and security standards.
The Objectives of Cloud Computing Governance
The likelihood is that, due to the different operating structure, a different set of rules will be required to govern how the business operates in the cloud. These rules should take into account the business’s goals, the needs of each department, and the best practices for data security. Taking into account the needs of each department is important in order to encourage innovation and prevent further Shadow IT environments developing out of sight - and out of control - of the centralized IT department.
The rules should cover the what, when, and how of operating in the cloud - for example, what cloud services can be used, when users should download other software and apps (usually involving an approval process), and how data must be protected. Everybody needs to understand why these cloud computing governance rules are in place so the business avoids overspends, eliminates uncontrolled Shadow IT and mitigates the risk of data loss and regulatory non-compliance.
The Importance of Enforcing Cloud Computing Governance Rules
It’s important that cloud computing governance rules are enforced - and seen to be enforced. It’s not necessarily the case users will deliberately breach the rules; it’s more likely that lapses in concentration or forgetfulness will result in human errors. Whereas in an on-premises IT environment, human errors can be limited in their impact, in the cloud the consequences can be substantial.
Seeing that you’re enforcing cloud computing governance rules will often have the effect of reducing human errors. Often, when mistakes have been identified and demonstrated to the offender, the offender takes more care in the future. However, because of the potentially substantial consequences of mistakes in the cloud, you’ll still need to have mechanisms in place to physically enforce the rules.
How to Best Enforce Cloud Computing Governance Rules
There are two main ways to enforce cloud computing governance rules - manually and automatically. The manual option involves constantly monitoring the cloud environment looking for breaches of the rules or events that could lead to a breach of the rules. Automatic cloud computing governance enforcement involves comparatively minimal effort once you have an understanding of automation.
Automation in terms of enforcing cloud computing governance rules means using a software solution to monitor the cloud environment on your behalf that alerts you to potential breaches. The benefits of automation are that the solution monitors the cloud environment around the clock and can be configured to take specific actions (rather than alerting you) in the event of a critical breach.
Examples of Automated Governance at Work
In most use cases, automated governance solutions are configured to send email notifications in the event of (for example) a potential budget overspend, an opportunity to take advantage of a committed use discount, or when performance metrics indicate an asset requires right-sizing. However, automated governance solutions such as CloudHealth can also be configured to take specific actions. For example:
- If a VM is assigned a non-U.S. Region, exceeds the permitted maximum capacity, or is launched outside normal working hours, CloudHealth can automatically terminate the asset.
- If CloudHealth identifies an unencrypted storage volume tagged PII, or a publicly-accessible storage volume, the solution can encrypt the volume and restrict access.
- If a user account is identified with multi-factor authentication disabled or with root account API access, CloudHealth can revoke access to the account.
- Similarly, CloudHealth can revoke access to accounts that launch assets out of the normal range, out of normal working hours, or that are logged into from an unrecognized IP address.
Find Out More about Enforcing Cloud Computing Governance with Automation
If you’d like to know more about enforcing cloud computing governance with automation, feel free to get in touch. Our team of cloud experts will be happy to answer your questions and will invite you to take advantage of a demonstration tailored to your requirements. You’ll also be offered a free trial of CloudHealth which not only gives you the opportunity to enforce cloud computing governance with automation, but also to experience CloudHealth’s other capabilities.