Governance and the Cloud
After a few years of hype, Cloud is now becoming part of the mainstream enterprise IT landscape. As with any technology or technology model, uptake demands compliance mechanisms. If you rely on something, you must have the rules and metrics required to set the standards of performance, usage and return.
In this white paper, Getronics examines cloud governance, with particular focus on how cloud-specific governance becomes an integral element of overall IT and business governance models.
2. INTRODUCTION
AFTER A FEW OF YEARS OF HYPE, CLOUD IS NOW BECOMING PART OF THE MAINSTREAM
ENTERPRISE IT LANDSCAPE. AS WITH ANY TECHNOLOGY OR TECHNOLOGY MODEL,
UPTAKE DEMANDS COMPLIANCE MECHANISMS. IF YOU RELY ON SOMETHING, YOU MUST
HAVE THE RULES AND METRICS REQUIRED TO SET THE STANDARDS OF PERFORMANCE,
USAGE AND RETURN.
In this white paper, Getronics examines cloud governance, with
particular focus on how cloud-specific governance becomes an
integral element of overall IT and business governance models.
For many, the barrier to cloud-adoption has been largely about
trust. Different organizations will always need to decide which
IT delivery models are most suited to their own circumstances.
Hopefully, Getronics’ analysis of cloud governance will at least,
help to bring clarity to this essential aspect of cloud decision-
making.
WHO IS THIS PAPER FOR?
Getronics hopes that this paper will be useful to IT managers,
and especially to those with a professional interest in govern-
ance. The paper is not overly technical, and also covers topics
which members of Legal and Procurement teams in particular
may find interesting.
On a more general level, we highlight the importance of being
able to measure the effectiveness of cloud delivery in terms of
operational and business value, and in that respect, there may
be members of operations and business development who will
also find interest here.
Getronics has a number of governance specialists who are
specifically focused on the impact of cloud, and if you are
interested in discussing any of the ideas raised in this paper,
do feel free to contact us directly via Maurice Remmé at
maurice.remme@getronics.com or look at www.getronics.com.
CLOUD – DEFINITION AND STRATEGY
We will start with a formal definition. Getronics finds the
National Institute of Standards and Technology (NIST I) defini-
tion serves well: “Cloud computing is a model for enabling
ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or
service provider interaction.”
3. BROAD ON-DEMAND
RAPID ELASTICITY MEASURED SERVICE
NETWORK ACCESS SELF-SERVICE
ESSENTIAL
CHARACTERISTICS
RECOURCE POOLING
SOFTWARE AS A PLATFORM AS A INFRASTRUCTURE AS A SERVICE
SERVICE (SaaS) SERVICE (PaaS) SERVICE (IaaS) MODELS
DEPLOYMENT
PUBLIC PRIVATE HYBRID COMMUNITY MODELS
Figure 1 Visual model of NIST working definition of cloud computing
For a non-IT audience, we can make this a bit less formal: The need to balance promise and control is complicated by the
“By using applications and resources that are delivered over the fact that the cloud, for the first time, puts the service consumer
internet, cloud computing gives enterprises and individuals in the driving seat. When a business user can buy access to a
access to resources as required - paying for use not ownership.” cloud-based service “on expenses”, the landscape of control
changes. For this reason, the IT governance model must
Over the last twelve months, Getronics has seen cloud rise to respect this new agility without abandoning traditional
the top of the agenda in discussions with clients, and with this, management responsibility.
a desire to develop more formal and more structured cloud
strategies and governance frameworks. To resolve this dilemma, organizations first need to understand
what they expect from cloud, and must then follow through
We have also seen that for many, cloud computing presents a with strategy, policy and design architecture. The approach to
dilemma: IT decision-makers need to balance the promised cloud must be in tune with the organization’s business strategy,
benefits on the one hand, with the need for control on the and this demands that cloud governance is fully and clearly
other: integrated with their overall IT governance structure.
• Promise - zero CapEx, scalability, agility and the chance to
respond rapidly to changing behavior
• Control - enterprise-wide governance, compliance, cost-
effectiveness, co-existence with existing IT infrastructure
and service level control.
4. GOVERNANCE –
TERMS OF REFERENCE
THE CHARTERED INSTITUTE OF MANAGEMENT ACCOUNTANTS EMPHASIZES THAT THERE ARE
TWO DIMENSIONS OF ENTERPRISE GOVERNANCE - CONFORMANCE AND PERFORMANCE -
AND THAT THESE TWO DIMENSIONS NEED TO BE IN BALANCE.
ENTERPRISE GOVERNANCE
BUSINESS
CORPORATE GOVERNANCE
GOVERNANCE
I.E. CONFORMANCE
I.E. PERFORMANCE
ACCOUNTABILITY VALUE CREATION
ASSURANCE RESOURCES UTILISATION
Figure 2 The Enterprise Governance Framework - CIMAII
• Conformance covers issues such as governance structures As IT and business strategies become increasingly enmeshed,
and the assignment of accountability. It focuses on so IT governance increases in importance - and as cloud
conformity and control, on legal adherence and liability. becomes increasingly mainstream, so its own governance
• Performance covers strategy definition and value creation. framework comes to have a direct impact on both IT and
Also known as business governance, this activity must business performance.
deliver the evidence a board of directors needs to set
strategy, and to define both the levels of acceptable risk and
the key performance drivers.
AND IT GOVERNANCE?
As a subset of enterprise governance, IT governance mirrors
exactly these dimensions of conformance and performance.
In this respect, there are two reasons why IT governance matters:
• It ensures that IT resources and practices are managed
responsibly
• It ensures that IT resources and practices are fit-for-purpose,
and aligned with the overall business needs of the organiza-
tion they serve
5. The IT Governance Institute identifies five domainsIII which
must be covered if IT is to support business goals and deliver
shareholder value, and each one of these applies to both
traditional and cloud-based approaches. Some are primarily
strategic, some operational, and some both:
Domain Focus Strategic (S) Operational (O)
1 Strategic alignment Focus on aligning IT and business strategies - S
collaborative solutions feature prominently.
2 Value delivery Focus on the cost of IT and on measuring its business S
value.
3 Risk Focus on safeguarding IT assets, disaster recovery S/O
Management and continuity.
4 Resource Management Focus on knowledge and IT infrastructure. Spans O
acquisition, development and management of IT
resources (including cloud services) from the pers-
pective of people, process, and technology.
5 Performance Management Focus on tracking project delivery, execution and O
monitoring of the IT services that support the business.
Figure 3 shows how in a traditional IT governance model, these
five domains relate to each other in the overall objective of
contributing to the enterprise goal of shareholder value.
SHAREHOLDER
ENTERPRISE GOALS
VALUE
STRATEGY VALUE
STRATEGIC ALIGNMENT DELIVERY
RISK MANAGEMENT
OPERATIONAL
PERFORMANCE RESOURCE
MANAGEMENT MANAGEMENT
Figure 3 IT Governance model
6. For Getronics, these five domains remain the foundation of IT
governance. The emergence of cloud does, however, change the
orientation of the model. This change is shown in Figure 4, in
which performance, resource and risk management all take on
a new tactical importance.
SHAREHOLDER
ENTERPRISE GOALS
VALUE
STRATEGY VALUE
STRATEGIC ALIGNMENT DELIVERY
RISK MANAGEMENT
TACTICAL
PERFORMANCE RESOURCE
MANAGEMENT MANAGEMENT PUBLIC CLOUD
OPERATIONAL
PERFORMANCE RESOURCE
MANAGEMENT MANAGEMENT PRIVATE CLOUD
Figure 4 IT Governace influenced by public cloud
The hierarchical governance flow remains unchanged, as it With an IT governance model influenced by cloud, the control
cascades from enterprise to corporate and then to IT. As cloud model becomes particularly important. Getronics sees three
becomes an integral component of the governance framework, flavors of control model:
it blurs the separation between pure IT and business opera- • Centralized
tions. This is thanks, in part, to the fact that cloud models can • Decentralized
to a large extent be driven by business service delivery rather • Hybrid.
than by the ownership of IT assets.
The choice of model will be made according to the best
organizational fit, and will be influenced by culture, market and
maturity. The key variations in these control models are shown
in the following table:
Model Local Authority Define Policies & Rules Monitoring & Reviewing
Centralized Low Council Council
Hybrid Mid Combined Combined
Decentralized High Organizational Unit/Location Organizational Unit/Location
Table 1 Governance models
7. CLOUD AND IT GOVERNANCE:
TOGETHER OR APART?
Getronics believes strongly that although the cloud is maturing,
effective cloud governance will only be achieved if it is treated
as an integral element of IT governance. In that position, like
the overall IT governance structure, it will have a particularly
close relationship with Security Governance. The overall
governance framework is shown in Figure 5, below.
BUSINESS
GOVERNANCE
ENTERPRISE
SECURITY GOVERNANCE IT GOVERNANCE CLOUD GOVERNANCE
GOVERNANCE
CORPORATE
GOVERNANCE
Figure 5 Governance framework
This integration will require a new governance council to be The regulatory and statutory requirements affecting cloud
established within the control model. It will need to reflect the strategy will need particular attention. Depending on sector
cloud strategy of the individual organization, and will need to and on geography, for example, the law regarding the physical
mirror cloud usage according to infrastructure, platform and location of storage and service provision will dictate the cloud
applications. options.
Sitting within IT governance, the cloud governance council will Risk management and continuity will also be affected.
need to set and define: How, for example, will your governance framework prepare for
• Cloud service policies and processes contingency and continuity in scenarios in which a provider of
• Quality of Service standards and SLA levels with regard to: cloud-services ceases to trade, or is acquired by a third party?
- Infrastructure
- Platform
- Applications
• Cloud security with regard to:
- Confidentiality, integrity, and availability
- Identity and access management
8. All cloud governance also needs to be able to operate in “run
time”. Because cloud delivery is, by definition, on-demand, the
associated governance model must be able to accommodate
instant changes in usage volumes or in switches of delivery
routing, storage or processing.
CLOUD COMPUTING
STRATEGIC VALUE RISK RESOURCE PERFORMANCE
DOMAINS FOR IT
ALIGNMENT DELIVERY MANAGEMENT MANAGEMENT MANAGEMENT
GOVERNANCE
Figure 6 Cloud Domains for IT Governance
STRATEGIC ALIGNMENT
Just as IT governance must be tuned to enterprise strategy, so
it is for cloud governance. Cloud vision and strategy can only be
meaningful if choices are made according to strategic enterprise
requirement.
The strategic alignment domain is the foundation for every-
thing else, and it needs to be right. It will evolve, as the cloud
itself evolves. Most importantly the governance council will
need to check the model continually against the wider IT and
corporate governance framework: changes there will mean
changes here.
Managing Architecture and Functionality
The reference cloud architecture must be aligned with the
business, and must respect industry, regulatory and company
standards. It must place even more emphasis on business
objectives than traditional non-cloud architectures. It must
also take into full account all aspects of integration and
interoperability with existing IT usage.
Security, availability and contingency are high on the agenda,
and must take into full consideration the impact of a change in
service provider. Cloud governance will also require new skills,
and the model must consider roles and responsibilities,
particularly relating to provisioning, security, and operations.
Sourcing needs particular attention. As cloud-based services
can be purchased without the need for specialist IT knowledge,
relationships between business purchasers and IT functions
need special consideration.
Cloud-based services can be highly-configured according to
different professional and functional need. Strategic alignment
must take this into account, making it possible for the enter-
prise to build a clear picture of requirement, and to track
changes in need and use. How this is done will depend on the
culture of individual organizations: some will be proscriptive,
others will not.
9. VALUE DELIVERY As a result, cloud governance models must be able to assess
Value delivery must define, implement and manage the risk from this entirely new perspective.
processes which underpin cloud strategy. It must translate
cloud strategy into a program of tactical and operational action.
RESOURCE MANAGEMENT
This will include the processes for service acquisition, integra-
tion, and provisioning and will embrace the management of Cloud Sourcing
legal, technical and organizational risk. Directory services, Sourcing models can differ greatly with cloud: public, private
along with identity management and usage metrics are also and hybrid cloud approaches need us to think differently about
critical: because cloud is based on consumption – it is essen- governance.
tial that you can monitor and measure what is being consumed,
in what quantity and by whom. With regard to sourcing, cloud governance must consider
vendor continuity, quality-of-service, business reporting and
This domain is closely linked to the performance domain – compliance, cost modeling and more besides.
it is through effective monitoring that the priorities for change
become evident. Cloud cuts across such a broad spectrum of activities which
previously sat within the IT governance framework. Because of
this, it is necessary to develop new rules and new metrics built
RISK MANAGEMENT around service provision and validation.
Just as with IT governance, risk management in cloud
governance must fulfill three functions: The promise of a shift from CapEx to OpEx is held up as a major
• Assessing risk incentive to shift to cloud. This does, however, raise questions
• Mitigating risk, and around sourcing governance. Where models are “pay-per-use”,
• Measuring the success of that assessment and mitigation it becomes difficult to undertake cost and quality comparisons
either between cloud-based and traditional models, or indeed
This is not a static scenario. Risk shifts continually, and the between different cloud models.
cloud governance model must be able to track these shifts.
Cloud sourcing governance, also needs to take into account,
Even though much of the terminology of cloud is new, the the ease with which cloud services can be purchased directly on
technology is rooted in well-established virtualization prac- departmental budgets, or even on individual expense accounts.
tices. What is new, are the service delivery and commercializa-
tion models, and as with any untested area, these require Application portfolio planning & lifecycle
particular attention with relation to risk. Even when cloud becomes fully established, most enterprises
will continue to rely on a combination of traditional and cloud-
Thomas J. Betcher establishes a clear analysis of risk and based applications.
cloud in Cloud Computing: Key IT-Related Risks and Mitigation
Strategies for Consideration by IT Security Practitioners: Here again, comparison becomes a challenge. Rather than
focusing on the cost of managing the application portfolio,
• Policy and Organizational risks: Lock-in, loss of governance, cloud sourcing governance focuses more on consumption and
compliance challenges, loss of business reputation, cloud fitness-for-purpose: the actual cost of management becomes
service termination or failure. indivisible from the cost of consumption.
• Technical Risks: Availability of service, resource exhaustion,
intercepting data in transit, data transfer bottlenecks, New applications and new functions, however, must be sourced
distributed denial of service. as required, and the cloud governance sourcing model must
• Legal Risk: Subpoena and e-discovery, changes of jurisdic- make it possible to analyze requests in terms of current usage,
tion, data privacy, licensing. and to safely allocate development, testing and distribution in
a way that can be subsequently re-charged according to usage.
One particularly important observation in the Betcher report
relates to risk and frequency. Many traditional IT governance Reporting transparency and business analysis are two particu-
models are designed around IT life-cycles of around three larly interesting aspects of cloud sourcing governance.
years. Within these cycles, IT audit leaves a detailed trail of Because both access to applications and usage visibility become
version and upgrade information. instant across the enterprise, it becomes far easier both to
promote common usage, and to amortize development and
With the cloud, this changes. Not only does the cycle shrink management costs.
massively (change can now be measured in hours and weeks
rather than in years), but the actual versioning of the technology
behind the service can remain completely hidden from the
consumer.
10. People and skills to the tactical layer of the governance framework, at least
The skills profile of an enterprise is central to IT governance – when shared and public cloud services are consumed.
it is not just the technology which must be fit for purpose, but
the professional capabilities of the people who manage it. These KPIs and thresholds should be defined to reflect busi-
ness rather than technology performance, and for this reason,
Cloud has a high impact here. Over the last five years, Getronics this domain is especially closely tied to strategy alignment.
has moved rapidly from being a traditional IT service provider to
becoming a services aggregator, and the emergence of cloud Good reporting is the foundation of both effective performance
has had a major influence in this shift. Getronics has witnessed management and substantiated improvement initiatives.
at first hand a reduction in demand for hardware and product- Two things happen in parallel here, as monitoring performance
specific skills along with a corresponding increase in the becomes twinned with monitoring conformance. This can be
importance of skills in managing a partner eco-system. seen clearly, for example, when analyzing usage in the light of
This skill shift must also be considered in the context of data protection regulation.
governance models for sourcing.
The cloud control framework is closely related to corporate or
IT control frameworks such as CobiT, and is used both to define
PERFORMANCE MANAGEMENT and measure conformance. Getronics uses the cloud control
This domain sets the KPIs and thresholds for the usage and matrix from The Cloud Security AllianceIV as a foundation for its
provision of cloud services. As indicated previously, Getronics cloud control framework. The Cloud Control Matrix is part of the
sees resource and performance management moving upward CSA GRC Stack.
Control Area Control Control Specification Cloud Service Delivery Scope Applicability
ID Model Capability
SaaS PaaS IaaS Service Customer
Provider
Information IS 32 Policies and procedures shall be established
Security and measures implemented to strictly limit
Portable/ access to sensitive data from portable and
Mobile mobile devices, such as laptops, cell phones,
X X X X X
Devices and personal digital assistants (PDAs), which
are generally higher-risk than non portable
devices (e.g. desktop computers at the
organization’s facilities).
Information IS 33 User access to program source code shall be
Security restricted to authorize personnel.
– Source X X X X
Code Access
Restriction
Information IS 34 The use of utility programs that might be
Security capable of overriding system and application
– Utility controls shall be restricted. X X X X X
Programs
Access
Legal – LG 01 Requirements for confidentially or non
Non Disclo- disclosure agreements reflecting the organiza-
X X X X X
sure Agree- tion’s needs for the protection of data shall be
ments identified and reviewed at planned intervals.
Legal – LG 02 Agreements with third parties accessing,
Third Party processing, communicating or managing the
Agreements organization’s information assets, or adding
products or services to information assets
shall cover all relevant security requirements.
X X X X
Agreements provisions shall include security
(e.g. encryption, access controls, and leakage
prevention) and integrity controls for data
exchanged to prevent improper disclosure
alteration or destruction.
Figure 7 Illustrative extract of the CSA Cloud Control Matrix
11. IT GOVERNANCE COUNCIL
Before considering ensuing actions for cloud governance, we the existing charter, and to ask how the new cloud mandate is
will take a moment to consider a possible organizational going to be represented within it.
structure. As mentioned previously, Getronics firmly believes
that an effective cloud governance model must be fully Clarity and focus are the watchwords, and hopefully you will
integrated with IT governance, and will, as a result, be organ- find the five domains outlined in this paper a useful guide in
ized in an IT governance council. considering the precise focus and pointer to the required roles
and responsibilities.
The council for cloud governance will, as a result, be embedded
within the IT governance council, and will share the same The figure below, shows the structure of Getronics’ own IT
obligations in terms of alignment with corporate and enterprise governance council, indicating how cloud has been embedded
governance and, in particular, with security governance. within it. Note how the Cloud Innovation Council is formally
integrated in the IT Governance Council, and in turn, is posi-
The council’s charter becomes its most fundamental tool. If you tioned to draw on business and technology expertise from
are establishing a cloud council within your existing IT govern- across the organization. The Portfolio Board are particularly
ance council, it will be important to take a thorough review of influential.
SENIOR
EXECUTIVE(S)
FINANCE INTERNAL AUDIT
DEPARTMENT DEPARTMENT
IT GOVERNANCE COUNCIL
• CISO, CIO, CCO
PORTFOLIO BOARD OF
• BUSINESS EXECUTIVES
BOARD DIRECTORS
• PROCESS MANAGERS
• IT & OPERATIONS
• CLOUD INNOVATION COUNCIL
LEGAL EXTERNAL
DEPARTMENT PARTIES
BUSINESS IT DEPARTMENT OPERATIONS
EXECUTIVE(S) EXECUTIVES EXECUTIVES
MANAGERS, MANAGERS, MANAGERS,
TEAM LEADERS TEAM LEADERS TEAM LEADERS
Figure 8 IT Governance Council
12. RECOMMENDATIONS
Getronics has already adopted cloud-based delivery for a large REFERENCES
proportion of its own infrastructure, platform and services. I NIST, National Institute of Standards and Technology Special
We have invested significantly in the development and imple- Publication 800-145 (Draft) 7 pages (January. 2011),
mentation of our cloud governance model as a result. http://csrc.nist.gov/publications/drafts/800-145/Draft-
SP-800-145_cloud-definition.pdf
We see traditional and cloud-based services running concur- II The CIMA Strategic Scorecard, March 2005.
rently in most enterprises for many years to come, and do not http://www.cimaglobal.com/Documents/ImportedDocuments
underestimate the corporate responsibility of addressing cloud /tech_dispap_CIMA_strategic_scorecard_0305.pdf
governance as both a strategic and operational priority. III Board Briefing On IT Governance 2nd edition, 2003 ,
IT Governance Institute,
Early excursions into cloud for many organizations were not http://www.isaca.org/Knowledge-Center/Research/
particularly formal – that’s normal. There is a risk, however, Documents/BoardBriefing/26904_Board_Briefing_final.pdf
of allowing informal interest to gather momentum without IV Cloud Security Alliance,
control, and it is important to build monitoring into the loop. http://www.cloudsecurityalliance.org/cm.html
As always, the longer you leave it, the tougher it gets.
ABOUT THE AUTHOR
Getronics recommends its clients to formally task its own IT Maurice Remmé is responsible for Getronics Data Center and
governance professionals with the assessment of cloud and Cloud initiatives worldwide and has a primary focus on vision,
governance. It recommends that this is done as an integral strategy and portfolio development. Maurice has over 10 years
element of overall IT governance, and that it is done while of experience in the ICT industry and at this moment is actively
embracing both security and enterprise strategy. involved in the development and implementation of Getronics’
Services Aggregator strategy.
If you would like to discuss any of these ideas or objectives with
our own cloud compliance specialists, please do contact us. maurice.remme@getronics.com