Moving off-premise and into the cloud can provide organizations the agility to scale and respond to business needs. But without a comprehensive cloud governance plan in place, security needs could go unmet.
An effective cloud governance plan aligns with the organization's operating model, assembles a dispersed team of cloud governance stakeholders and will only be as good as the quality of the policies it constructs, according to David Wright, research director at Gartner, during the Gartner IT Infrastructure, Operations & Cloud Strategies Conference Wednesday.
"A good cloud governance plan would be a process that gives you the overall cloud environmental hygiene that you need but that doesn't inhibit the speed and agility that your users require," Wright said.
According to Wright, a cloud governance plan will look different for organizations depending on whether the cloud models deployed are:
An integrated model, which aims for centralized cloud access.
An allied model, which provides a cloud to each business unit that uses it.
A holding model, which forms a conglomerate where multiple different business units unite under a single structure with independent cloud strategies.
All three models, however, rely on diverse stakeholders to strike the agility-security balance. "Think about building a governance team that spans all of the different interested parties within that set of organizations," Wright said.
Wright recommends a model that considers who is responsible, accountable, consulted and interested — also called the RACI model — in the cloud governance strategy to dole out duties.
Distinguishing between guidelines and guardrails will serve as the building blocks of effective cloud governance. Guidelines are recommended best practices that may not be mandatory to follow, while guardrails are restrictions that should not be circumvented, according to Wright.
"Whether it's a guideline or a guardrail, it needs to be actionable," Wright said. "It's not a goal. A policy is a rule that relates to activity. It's not an objective to be attained. So don't forget to distinguish between strategies and governance policies."
The guidelines and guardrails relevant to stakeholder needs helps them understand what could happen if the directions are not followed.
Build with a foundation of security basics
Understanding and building out security policies acts as the foundation of cloud governance.
Organizations can start by implementing the underlying security policies necessary for good access control, according to Wright.
"You're going to marry your organization's identity and access management systems to the role-based access control mechanisms particular to each cloud environment that you're in," Wright said.
The security process will look different depending on which cloud provider a company uses, but the principle is the same: security first and the rest can follow. Define policies for cloud use by considering who should be able to access what and understand financial controls with expense ceilings limiting cloud usage, according to Wright.
Understanding which controls an organization wants in place will help guide security decision-making. Wright recommends striking a balance between in-house governance management and using third-party tools.
"Once you've got a handle on the basics here, you're going to want to figure out how to develop general organizational support for what you're doing," Wright said. Organizational support requires the initial step of building a strong cloud governance team through dispersed stakeholders.
With stakeholders at the ready, the cloud leadership team can then establish formal business unit relationships throughout the organization, provide technical assistance to cloud users, uncover gaps in policy, vet user control change requests and more as a part of a holistic cloud governance standard.
"As you build out a governance plan, your end goal is to make it invisible," Wright said. "You want the governance to be a byproduct of the natural operating processes that your business has in the public cloud. You don't want it to stand in front of or in the way of good process, you want it to become a part of that process."