Building Cloud Governance From the Basics

Hafiz Sheikh Adnan Ahmed
Author: Hafiz Sheikh Adnan Ahmed, CGEIT, CDPSE, CISO
Date Published: 1 February 2021

Cloud computing and cloud services have become a reality, and they are here to stay. Organizations of all sizes are adopting cloud computing and cloud services. According to Cisco, cloud data centers will process 94% of workloads in 2021. But how many of these organizations have actually defined and developed a cloud governance model and framework?

Enterprises often embark on cloud initiatives without being properly prepared for the complexities they will encounter. The success rate of cloud projects is significantly impacted if governance processes do not directly address cloud characteristics.

Cloud computing governance is a method of information and technology (I&T) governance focused on accountability, defining decision rights and balancing benefit, risk and resources in an environment that embraces cloud computing. This form of governance creates business-driven policies and principles that establish the appropriate degree of investments and control around the life cycle process for cloud computing services. When practicing cloud computing governance, it is critical to manage risk, adapt effectively, ensure continuity and communicate objectives.

Enterprises must develop a clear governance strategy and management plan to obtain the most benefit from their cloud initiatives. These plans should determine the direction and objectives of cloud computing and exploit the opportunity to fully align I&T with the goals of the enterprise and add value to the organization.

Enterprises should begin by establishing cloud computing governance principles. The Open Group has defined 5 cloud computing governance principles that must be adopted and applied across the cloud life cycle:

  1. Compliance with policies and standards—Cloud standards should be open, consistent with and complementary to standards prevalent in the industry and adopted by the enterprise.
  2. Business objectives must drive cloud strategy—Enterprise cloud strategy should be an integral part of the overall business and IT strategy driven by both the “business of the business” and the “business of IT” objectives for the enterprise.
  3. Collaborative contracts between citizens of the cloud ecosystem—A clear set of rules and agreements that define the interaction between stakeholders is essential for enabling their healthy coexistence within the cloud ecosystem.
  4. Adherence to change management processes—Change should be exercised and enforced in a consistent and standardized manner across all constituents in the enterprise’s cloud ecosystem.
  5. Enforcement of vitality processes to achieve continuous improvement—Cloud computing governance processes must dynamically monitor events that trigger continuous improvements.

Once these principles are defined and developed, a cloud computing governance framework must be established. This framework must be a subset of overall business governance which includes I&T and enterprise architecture (EA) governance, and it must contain unique characteristics of all types of governance that are essential to cloud computing governance.

The following 7 steps can be taken to establish a cloud computing governance framework and apply cloud computing governance:

  1. Identify and understand business objectives, determine high-level strategy and identify growth opportunities to realize how cloud technologies can help accelerate the growth.
  2. Develop an enterprise cloud computing strategy, including establishing key performance indicators (KPIs) to realize business goals. Involve stakeholders to ensure that the cloud computing strategy is fully aligned with organizational strategy and objectives.
  3. Review and map the cloud computing life cycle to existing enterprise processes and identify gaps that must be closed to meet the new cloud computing governance requirements.
  4. Prepare the necessary resources for the adoption of cloud computing. Align people, processes and technology, rationalize the current digital state, and address any skills gaps that would deter the use of new technologies.
  5. Ensure appropriate compliance review checkpoints are in place with the associated governing bodies.
  6. Refine existing governance bodies or define new governance bodies to carry out governance processes.
  7. Evolve governance processes along with business outcomes and metrics.

Once the framework is established, the next step is to develop a comprehensive cloud governance model based on the following aspects:

  • Processes—Outline the processes to introduce cloud computing within the organization. All traditional governance frameworks (e.g., IT Infrastructure Library [ITIL] v.4, COBIT® 2019, European Network and Information Security Agency [ENISA], Service Oriented Architecture [SOA]) and International Organization for Standardization (ISO) standards must be referenced to define, document and align with the cloud computing requirements.
  • Organizational structures—Specific roles and responsibilities must be assigned, and specific forums and committees must be formed to discuss cloud initiatives, issues, risk and business benefits.
  • Service life cycle management (SLM)—Create services using the cloud platform and resources. Testing cloud service and establishing criteria to follow when creating a service on top of the cloud should be completed at this point.
  • Service-level agreement (SLA) management—Measure the quality of services and metrics to evaluate and monitor the performance of services. Monitoring and ensuring that SLAs can be met is essential for cloud governance, especially for public cloud.

Why Is Cloud Governance So Important?
Cloud environments can be unruly and unpredictable without effective cloud governance. It is, therefore, very important to have strong cloud governance and management controls in place that are fully aligned with organizational goals and objectives, supportive at all levels of the cloud journey and in sync with the enterprise’s existing frameworks, methodologies and ISO standards.

Hafiz Sheikh Adnan Ahmed, CGEIT, COBIT 5 Assessor, CDPSE, GDPR-CDPO, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a governance, risk and compliance (GRC), information security and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter, IAPP KnowledgeNet Chapter Chair, and volunteers at the global level of ISACA as a Topic Leader for the Engage online communities. He is also a member of the ISACA IT Advisory Group, the Chapter Compliance Task Force, CGEIT Certification Working Group, an ISACA® Journal article reviewer, and a SheLeadsTech Ambassador. He is a Professional Evaluation and Certification Board (PECB) Certified Trainer and an ISACA-APMG Accredited Trainer. He can be reached via email at adnan.gcu@gmail.com and LinkedIn.