Get started Bring yourself up to speed with our introductory content.

How to design and implement a cloud governance framework

An organization that wants to control its cloud environment should look closely at how well it adheres to these four key pillars of cloud governance.

Cloud computing enables faster, more agile responses to changing business demands than previous ways of delivering IT services. Along with its numerous benefits, cloud also introduces a significant risk: loss of control. This can lead to cost overruns, inefficient use of cloud resources, security breaches, data leaks and failure to meet compliance obligations.

Fortunately, we already know how to mitigate that compliance risk with good cloud computing governance practices. A cloud governance framework is not a new set of concepts or practices, but simply the application of those practices to our cloud operations.

To institute proper controls and optimize the use of cloud services, consider these four pillars of a cloud governance framework as essential:

  • financial management
  • operations management
  • security and compliance management
  • data management

1. Financial management

An unwelcome rite of passage has emerged in enterprise IT: surviving the first explosively high cloud computing bill. Cloud service providers and advocates rightly argue that it makes more financial sense to use cloud services than to pay for and manage your own infrastructure. That checks out, but only if you effectively control your cloud costs. This requires three management structures: policies, budgets and reporting.

Financial management policies provide a framework for making business decisions about cloud resources. For example, one organization might opt to use managed services as much as possible to reduce the cost of operational overhead. Another business could choose to define a checklist of cost management steps to follow before it deploys a new service to a public cloud.

Budgets are well understood, but it can be difficult to estimate costs -- especially when cloud providers do not provide detailed information about charges in an easily accessible way. For example, to find the total cost to store backup snapshots, a business might need to search across regions, accounts and cloud services to collect all instances of those backups. Develop a plan for how you'll gather the information you need to create and track budgets. Most cloud vendors provide cost reporting tools. If those do not meet your needs, look to third-party services to fill that gap.

In addition to reporting for budget purposes, include policies around cost alerts. When your cloud environment has exceeded 50% of its budget 25% of the way through a given month, for example, an alert gives you time to adjust.

2. Operations management

The focus of operations management is to control how cloud resources deliver services. A lot is involved in this, including how to:

  • define processes for creating new services, which includes setting service-level agreements (SLAs) allocating resources;
  • deploy application code to various environments, particularly production environments; and
  • monitor the state of services to ensure SLAs are met.

Say a developer or product manager asks, "How can we deliver this new application to our customers?" The answer should be found in a well-defined operations policy. This includes how to coordinate with the operations team; how to specify identity and access management requirements; how to estimate compute, storage and network requirements; and how to meet monitoring and logging requirements.

A clear, well-defined operations management practice is one of the best ways to prevent shadow IT operations from creeping into your cloud environment. Good cost monitoring and performance monitoring can also help identify cloud resources that are not being formally managed.

3. Security and compliance management

Cloud governance includes the same security topics you would find in any enterprise security effort: risk assessment, identity and access management, data encryption and key management, application security, contingency planning, as well as other areas. From a governance perspective, the objectives of information security practices are shaped by a combination of business objectives and regulations.

The first step to formulate your information security practices is to identify key business drivers, which often require tradeoffs between business expediency and security risks, and the government and industry security regulations that apply to your business.

A governance model should build on existing governance policies and frameworks, including cybersecurity, privacy and risk management. See, for example, the National Institute of Standards and Technology cybersecurity resources for details. Also, take advantage of the specialized security services from whichever of the big public cloud providers you work with to mitigate the risk of data leaks, denial-of-service attacks and other common threats.

4. Data management

As the ability to collect, store and analyze data expands, so does the difficulty in effectively managing that data. Your governance strategy and practices should include clear guidance for how to manage the full lifecycle of data in your organization.

Begin with a data-classification scheme. Not all data is equally valuable or needs comparable levels of security. Sensitive and confidential data warrant more security controls than public information. The best practice for data in the cloud is to encrypt all data in transit and at rest -- consider this your default behavior. Other controls, such as who you allow to access or update particular data types, will vary according to the data classification and functional requirements around how the data is used.

Governance policies should help data owners, product managers and application developers understand how to protect data based on its classification. This includes guidance on how to manage the lifecycle of data, including how long to store data, when to move data from high-performance, high-cost storage systems to lower-cost archival systems. Manual data lifecycle management does not scale well, and it is prone to errors. Take advantage of cloud providers' data management tools to automatically migrate data to different storage systems or delete data that is no longer useful.

The importance of the cloud governance framework

A cloud management strategy must account for these four key pillars of cloud governance, but they are not independent, isolated objectives. Data management and security are tightly coupled. Operations management and cost controls also overlap and influence each other. Operations management also helps shape the implementation of data lifecycle management policies.

These four elements influence and, in some cases, constrain each other. Developers and product managers may want to employ a specialized data loss protection service to enhance security but the cost of the service at scale may be prohibitive. This is just one example of how the four pillars of a cloud governance framework can help maintain control and set boundaries across competing interests in an organization.

Dig Deeper on Cloud governance