From a high level, the governance goal is to ensure that we are doing the right things in the right way. The questions we are trying to ask are the following:
- Are we doing the right thing?
- Are we doing it in the right way?
- How we can understand it?
Cloud computing governance it’s a comprehensive view of IT governance focused on responsibility, the definitions of the right decision and the balance between benefit/value. Risk and resources inside a Cloud ecosystem. The governance helps us to ensure that every expense relative to the Cloud are aligned with business objectives, it promotes data integrity, foster technology innovation and mitigate the risk of data loss or not compliance.
We can say that Cloud governance it’s an extension of IT governance, something we need to integrate into the existing one inside the organization and not replace.
We need to distingue between governance and management because sometimes we can confuse them. Governance defines the strategic direction and establishes an enabling system inside the organization. Management, use the governance enabling system to put in place the strategic direction of the governance.
Every governance starts from principles. Also for cloud governance is necessary to define adequate principles. One good start point is from the ISO/IEC standard 38500 (Information technology — Governance of IT for the organization); it shows six principles:
- Responsibility: the responsibility of the use of the IT system, should be assigned clearly to individuals o groups;
- Strategy: the organization business strategy, from a high level, should consider and define the IT direction, given the base for a correct alignment of activities with the organization need;
- Acquisition: the decisions to invest and get IT assets should be taken considering valid reasons and success factors. These factors are not only for managing the ongoing business but they should consider future changes and challenges;
- Performance: the IT service demand and capacity both for day by day operation than for new system development should be balanced for ensuring a good level of performance;
- Conformance: all the policies and practices, internal or external, relative to the IT use must be formally identified, defined, clearly communicated, implemented and enforced;
- Human behaviour: people inside the process, IT policies, practices and decisions, must be always respected.
Nowadays, there are many IT governance frameworks, among which the most important are:
- TOGAF 9.1: it’s an Open Group standard. The framework provides guidelines of governance for enterprise architecture;
- COBIT 5: it’s a framework for IT governance;
- ITIL v3: it defines guidelines for governance of services management. It’s very important for cloud computing governance;
- The Open Group SOA Governance Framework: it provides guidelines of governance for service-oriented architecture.
Cloud computing governance is intended as a subset of IT governance and Enterprise Architecture governance. It contains all the unique features that are essential for Cloud governance.
The principles drive the design of the Cloud governance and define the behaviour. The principles, give a thread and a common theme for the decision relative to Cloud, providing a compass to the accountable people of all levels of the organization. Standard ISO 38500 Corporate Governance of Information Technology, as we have seen, defines six fundamental principles: responsibility, strategy, acquisition, performance, conformance, human behaviour. These principles are the best practices internationally recognized and they should be the constituent basis during the compilation of specific cloud governance principles for each company. Criteria for building efficient principles can be different for each organization because each organization can be very different, but there are principles that every organization that use Cloud services should strongly keep in mind: compliance with policies and standard, business goals must guide the Cloud strategy, contracts between the participating entities of the Cloud ecosystem, adopt well-defined change management processes, application of monitoring processes to achieve continuous improvement.
Cloud standards should be open, consistent and complementary to the main sector standard and adopted from the big company. The Cloud ecosystem has a broad range of services partners and suppliers. If you look at https://landscape.cncf.io you can have an idea of the vast range. The compliance to standards and policies ensure a consistent approach, integrated and complete in the ecosystem for preventing, mitigate and dealing with a specific risk of cloud solutions (including security, business continuity, etc…). Using open standard give a great benefit in term of interoperability, often a fundamental need in a Cloud environment. This also allows to don’t lock with one single provider but they give the freedom to migrate or combine different providers.
Cloud strategy should be integrated with organization and global IT strategy. Cloud enable a broad range of features to grow a company in an agile, flexible and cheap way. Thus, both business and IT objectives should drive the cloud transformation and be part of one global strategy.
A clear ruleset of policies and agreements that define the interaction between the stakeholders is essential for guaranteeing a healthy coexistence in the Cloud ecosystem.
The cloud ecosystem includes both external that internal stakeholders of the organization. Contracts provide clarity, responsibility, authority among stakeholders. So, it’s essential to have a work agreement among them. Fundamental is the service level agreement (SLA) for efficient use of the Cloud, especially for the high financial or another kind of impact and for this reason, should be formally declared.
Change should be practised and applied consistently and standardized on all components of the company’s cloud ecosystem.
A Cloud ecosystem is composed of a vast component‘s network interconnected in which a single change to one of them can have an impact on all systems. This type of ecosystem needs a coherent operation model to better adapt to a different perspective. The lack of a well-defined change management process can compromise the end-to-end interoperability of the cloud ecosystem because of interruption derivated from unwanted change.
The cloud governance process must monitor events and key factors that can be determined by continuous improvement. Companies are always changing because of the market demand and by the evolution of company targets. Therefore, the Cloud computing process will always need continuous change for aligning to them.
Principles are fundamentals for all kinds of governance, not only for the Cloud. Principles can be different from company to company, and it’s fine, but the lack of any principles it’s not.
- ISO/IEC 17788:2014: Information Technology – Cloud Computing – Overview and Vocabulary; (www.iso.org/iso/catalogue_detail?csnumber=605455)
- ISO/IEC 17789:2014: Information Technology – Cloud Computing – Reference Architecture; (www.iso.org/iso/catalogue_detail?csnumber=60545)
- National Institute of Standards and Technology (Special Publication 500‐291)
- The Open Group (http://www.opengroup.org)
- Fulton, Lita. Cloud Governance and Management Made Simple: Practical Step-by-Step Guide for Small and Mid-Sized Organizations