Gartner defines IT governance as the process that ensures the effective and efficient use of IT to achieve its goals.
IT Governance creates structure for aligning business strategy with IT strategy and provides ways to measure IT performance and the business benefits being delivered. A good IT governance model will establish clear and consistent direction with standards for people, process and technology to follow.
Cloud Computing introduces several fundamental changes, which require oversight to gain the business agility and reduced technology costs promised by this technology. These changes involve the following:
- Combatting Shadow IT – The business is going to use the cloud with or without IT’s help and guidance. IT must partner with the business to reduce the risks of data leakage, enforce data privacy and to centralize the management of emerging technologies. The benefits of uncovering shadow IT are savings from combining contracts and creating Master Services Agreements, and assignment of risk scores to weed out the most threatening ones, and preventing data leakages.
- Cloud Services Robustness – Pay as you go, on-demand services, on average meet 80% of customer needs but trade off the consistency and standards that come from in-house solutions that contain specific requirements. Over time features do get added, usually as the biggest companies/ payers request them. Even with these changes in services, governance minded IT should optimize the cloud services they buy and only enter into agreements, which closely align with business requirements and IT policies. Recently some enterprise cloud service providers offer a matrix of service-oriented solutions with low, medium and high levels of flexibility, reliability, availability and scalability.
- Shift from Service Operations to Vendor Management and Service Management – When working with Vendors and Service providers, a number of methods can be used to both protect your company and assist in providing the transparency of your provider and soon to be business partners:
- Non Disclosure agreement
- Certifications and references
- Independent auditor reports
- Shift from Operators and Engineers to Tacticians
- In contrast from heritage environments with operations staff that are used to working day to day issues hands-on; when working with the cloud, tacticians work hands-off with cloud service providers making short-term action-oriented decisions as specific incidents arise.
- The IT Governance challenge is managing operational issues when your organization is no longer the service provider.
- Development of Cloud Strategy
- Shape of your Cloud – IaaS, PaaS, SaaS
- The Business Case including impact, cost, risk and impact of cloud options
- Service Delivery Strategy
- Laws and Regulations
- Policy, Standards & Controls
- Cloud Economics
- Development of a Cloud Governance Strategy
- Policy-based automation
- Self-service policy
- Efficient, ethical handling of information (see Data Stewardship Article)
- Ensuring regulatory compliance over a broader landscape. (e.g. Sarbanes-Oxley) IT Governance provides internal controls and process to meet these regulations.
- Cloud Architectures such as Multi-tenancy
- The ability to determine the optimal mix of Cloud technologies, Public, Private, Hybrid
- Strategy to Revert or Switch Providers
So why is governance increasingly important in the cloud?
- Missing the time to market / agility – Since you have less control over the development of the cloud provider’s capability/functionality, there may be long development lifecycles.The lack of ability to adroitly roll out competitive functionality can quickly lead to lost customers and profits.
- Poor IT governance is one of the key causes of failure in big business transformation projects, according to Butler Group.
- Poor corporate culture can adversely affect the image and integrity of companies.
- Fundamentally, it is about corporate culture and the way a company conducts its business in an ethical, responsible way. – The Code of Conduct—Laying a Cornerstone for Effective Governance
- Lack of policy, leadership direction, process consistency and automation leads to complexity and can negate the benefits being in the cloud to begin with. Setting enforceable policy and automation is critical to new world IT Governance. Scalability and elasticity are needed to meet the demands of different workloads and balance costs.
- The demand for cloud computing is increasing but companies are often frustrated with the slow response of IT, so they bypass them and use cloud services in the wild, unsupported,which often results in putting sensitive data where it should not belong. A good IT Governance Strategy will get ahead of this trend by leading standards-based, policy-driven cloud services in a cost effective manor.
The Ideal Cloud IT Governance Solution
Cloud adoption is inevitable and there is no perfect or one size fits all cloud IT governance solution, but there are core elements, which they should have in common.
Cloud Governance should be an extension of your corporate technology architecture or technology lifecycle management process.
This extends the catalogue of approved solutions and components in the corporate service catalog to include Cloud “as a Service offerings” such as IaaS, PaaS, SaaS. Critical components include:
- Cloud Security Architecture. Categorically start with Identity and Access Management, which is the most important cloud security measure. Ensure provisioning, de-provisioning (including retiring mobile authorization tokens), authentication, authorization and auditing is included. Data level controls follow, including encryption at rest, in transit and in use. A strong Public Key Infrastructure (PKI) service, which manages key protection, expiration and provisioning, is a sign of a more mature security posture and governance over corporate data. Data Loss Prevention (DLP) is a must to keep confidential data secure.
- Cloud Data Governance. Start by knowing the value of data, where it should be, and with what data it should be mixed with. (See Data Stewardship article)
- Cloud Discovery. Employ solutions (Centrify, CipherCloud, Skyhigh Networks, Netskope,Perspecsys) that discover shadow IT instances, categorizes them and associate risks to cloud services, based on egress monitoring. This leads to analysis and creation of standards for cloud protections and governance over this process.
- Cloud Service Management and the use of an ITIL-oriented asset management, provisioning and Configuration Management Database (CMDB)helps provide the common language and continuous improvement to support proper cloud IT governance.
- Cloud Global Risk and Compliance (GRC) extensions. Lastly,threat and risk assessments are imperative to associating cloud use with its assets, and making informed decisions that align to business objectives.
Read Related Blog Article: “Cloud Security: Data Stewardship Guidelines”
Source: Sky Chat IT Blog