What is ‘Cloud Governance?’ I hear about this concept all the time, but what does it truly mean? Forrester defines governance as “the ability to provide strategic direction, track performance, allocate resources, and make adjustments to ensure that organizational objectives are met, without breaching the parameters of risk tolerance or compliance obligations.”1 Now let’s apply this concept to public cloud operations. Cloud Governance is the people, process, and technology associated with your cloud infrastructure, security, and operations. This should not be confused with cloud management, Forrester cautions. Governance involves a framework with a set of policies and standard practices. This could include policies for cost optimization, resiliency, security, or compliance.
Source: Adapt Your Governance Framework For The Cloud, Forrester Research, Inc., November 14, 2017
Why is cloud governance so important?
In the public cloud, because decisions are made in a decentralized manner and at a rapid pace, a governance model or policy becomes critical for keeping the entire organization on track.
Forrester also points out that in the cloud era, the key metric becomes speed, making it more likely that best practices may be circumvented:
“As firms measure their product teams less on perfection and more on speed and time-to-market, this mentality is at odds with traditional compliance checks and security processes. Managers need a way to provide best practices and perform automated integrity checks without hindering the speed of product development.”2
The end result: without governance, you will quickly find your cloud environment spiraling out of control. Between the pace of change in environments, new services being adopted by engineering, and the rapid growth in many cloud environments, there is no way you and your team can keep up without a governance strategy.
Getting started with cloud governance
Now that you’ve decided you need a cloud governance strategy, how can you get started? Forrester recommends a federated approach to continuous improvement and management, with a centralized cloud advisory board. This cross functional team can identify common practices and requirements and act as consultants to different groups. An operational extension of this team, the cloud management function, can help with standardizing practices, defining standards and best practices, and automating policy enforcement. In highly distributed and siloed organizations, it is especially helpful to assemble a community of practitioners who can exchange best practices. This may be in the form of a wiki or a Slack channel, or the group may decide to meet in person.
Additionally, creating a Cloud Center of Excellence (CCoE) can accelerate your company to achieve strong cloud governance. A CCoE is a cross-functional working group of people that govern the usage of the cloud across an organization and drive best practices across functions. The CCoE spans three areas of excellence: cloud financial management, cloud operations, and cloud security compliance. By creating a CCoE, your company can achieve visibility, optimization, governance and automation, and business integration into your cloud environment. Learn more about growing and best practices in a multicloud environment here.
The final component required to make a cloud governance dream into a reality is a management solution which can help with both monitoring and defining policies. This solution must be able to look at the cloud environment on both a granular (micro) and aggregate (macro) level, help identify trends, and break down cost, usage, performance, and security by the different teams that consume resources. Lastly, this solution must be able to set predefined policies, and then monitor for when the infrastructure is in violation of the policy. For example, you might have a policy that snapshots should be deleted after 4 weeks, for both cost savings and compliance purposes. But without a centralized platform to continuously monitor snapshot age, and then terminate the snapshots when they reach the limit, it’s nearly impossible to enforce. Forrester says:
“Manual policy checks will not scale and are prone to human error. Central management teams should provide tools to automate security checks, monitor usage, and automatically spot and flag improper usage.”