Cloud Governance: Just one-third of IT teams are “very confident” in their company’s ability to operate public cloud environments effectively, according to Dimensional Research – State of Cloud Ops ’23. There are five foundational activities to establish effective, efficient, and scalable cloud governance (i) define appropriate policies, (ii) define the cloud consumption model, (iii) define cloud service demarcation lines and RACI’s, (iv) define controls, and (v)provide real-time visibility.
Define Cloud policies, standards, and associated objectives for (i) security, (ii) cost, and (iii) compliance.
The key purpose of policies and standards is to achieve a desired objective or mitigate a specific risk. Once the desired “outcome” is defined, establishing the method & frequency of measurement is key in achieving & sustaining continual compliance. As part of this process, it is essential to create alignment (agreement) across the organisation's internal cloud “users” and “providers” regarding the service demarcation lines& associated roles & responsibilities (RACI). One way to do this is by defining the “cloud consumption models”.
Cloud consumption models – Providing clarity on service demarcation lines.
Defining the internal cloud consumption model provides clarity on the service demarcation lines and associated RACI’s. There are three macro cloud consumption models; (i) managed / centralised (ii) cloud ops (iii) federated / decentralised.
(i) Managed /Centralised: All functions regarding the design, provision and operation of cloud is performed by a central cloud team; creating a clear service demarcation line. Users have either no or limited requirement for cloud skills, and no responsibility for the design, compliance and operation of the cloud environment. Their cloud requirements are submitted via a defined request process which is serviced by the central cloud team, who is responsible for the end-to-end service management lifecycle of internal customer cloud services.
(ii) Cloud Ops: This is a hybrid model where functions regarding the design, provision and operation of cloud is shared between the user and central cloud teams. As an example, the cloud user may be empowered to perform cloud provisioning and change, whilst operational functions such as back-up and security reside with the central cloud team.
(iii) Federated /Decentralised: All functions regarding the design, build and operation of cloud services are the responsibility of the user. The central team has three main responsibilities (i) management of the shared cloud platform (landing zone), (ii) creation and management of a single source of truth real-time governance and compliance dashboard (trust / verify model), and reporting service that is offered to cloud users, platform teams, and relevant group IT functions (iii) defining and promoting cloud best practice(architectures, designs, patterns etc), creation of repeatable & scalable cloud services and products, and defining and co-ordinating organisation specific cloud training and enablement programs.
Define Service Boundaries and Demarcation Lines: Once the internal cloud consumption model/s are defined it enables the cloud service demarcation lines to be established, which in turn clearly defines the cloud RACI, a matrix that sets out who is Responsible, Accountable, Consulted, or Informed for completing tasks or deliverables associated with cloud usage.
A common issue we see is “cloud demarcation disputes”, resulting in delivery delays, increased risk, cost overruns, and in some cases cancellation of cloud initiatives altogether. This is predominantly seen in the “CloudOps” and “Federated” consumption models where there is ambiguity between central IT and application teams regarding “who is responsible for what”. The key to overcoming these challenges and succeeding with these models is to understand how work ‘flows’ across the service demarcation line, particularly in two respects.
Firstly, we should look to automate interactions across service boundaries as far as possible. When we use manual interactions, or tickets as an action to cross service boundaries, we introduce delay, uncertainty, and cost into the workflow. For example, we should be able to entirely automate the onboarding of a new developer into our organisation –having to raise individual tickets is a sign we need to automate the interactions with the central teams that manage identity.
Secondly, resources on one side of a service boundary should avoid performing work that should be performed on the other side. For example, a central platform engineering team should not perform project work for an individual business unit – this generally means they will stop building and maintaining their platform and start directly supporting project activity. The right course of action would be for the business to engage the additional resources they need from elsewhere.
Define controls: Once we understand the policies and service demarcation lines, organisations should look to design “build” and “run-time” controls that enforce and or alert policy adherence. It is key that we consider both the user experience versus the operational controls. We often see organisations indexing on one, at the expense of the other. For example, a strong focus on user freedom and experience results in downstream operational and compliance issues, or alternatively, applying a strong focus to operational controls creates a poor user experience and low cloud adoption rates. Implementing effective cloud controls is imperative to effectively govern cloud usage, and one of the most effective approaches to deliver both upstream user experience and downstream operational excellence is the creation of repeatable cloud products and services that align with the needs of the user, are highly automated, are ready to use via a “self-service” model, and have the organisational standards (architecture, security etc) & controls ‘baked in’.
Provide real-time visibility: The last step in the cloud governance model is visibility. Irrelevant of which cloud consumption model/s are deployed, it is important that cloud users, cloud providers, and relevant group IT functions (e.g. security, risk, identity etc) have a single source of truth that provides real-time insight regarding the status of cloud operational health, compliance and adherence to policies and standards.