Your cloud usage continues to grow. The types of workloads you’re migrating are trending increasingly mission critical. Your cloud governance must match this new reality. For this reason, along with new and developing industry regulations, growing sovereignty requirements, and a plethora of breaches/vulnerabilities, companies are revisiting or standing up governance programs that have not existed in long-standing cloud programs.
The motivation for cloud governance is obvious. Implementation is much more difficult. Part of the issue: there are many paths to cloud governance. Some are just cost, basic access security, and DevOps. Other paths tie in broader operations, data management, change management, and collaboration. Even the cloud providers themselves vastly differ in scope when it comes to governance framework recommendations. Like with any enterprise process, it’s important to start with the definition. Since starting this coverage, I’ve reviewed over 100 governance strategies from enterprises across the globe. Across these companies’ definitions vary widely. Since it is one of the top topics of 2024, I’ve spent the beginning of this year revamping our own cloud governance coverage – starting with the definition.
Forrester defines cloud governance as:
A set of rules, policies, and processes (implementation, enablement, and maintenance) that guides an organization’s cloud operations without breaching the parameters of risk tolerance or compliance obligations.
We developed research that manifeste into three reports: Build Your Cloud Governance Framework, Assess Your Cloud Governance Maturity, and one written with my colleague Andras Cser, The Forrester Guide To Cloud Governance. In this work, the scope of cloud governance is:
Security. A security baseline, security toolchain options, classification of data schema, risk assessment and planning, security policies and triggers.
Cost. Maximize the value of cloud investments, forecast cloud spend, leverage automation for billing, reporting on cost and cost reduction, enforce cost policies.
Identity baseline. Identity authentication protocol, user/role-based permissions, designation of access groups, collaboration restrictions, identity program audits, log activity audits
Resource configuration. Sync with corporate CMDB, reuseable templates and blueprints, creation and maintenance of landing zones.
Automated DevOps governance. Automated workflows (deployment and updates to infra, configs, libraries, secrets, keys, and certificates), CI/CD pipelines, enforce governance for build, test, release, and deployment,
No matter your approach, a few truths remain:
Cost and security exist for almost every definition
Guardrails are the goal and must walk the delicate balancing act between minimally inhibiting productivity and standardizing governance principles across functions – leaders in the DevOps world call this wide boulevards and high curbs.
The tired adage of alignment and exec support are still true and absolutely crucial.
If you have questions or want direction on how to set up or upgrade your cloud governance program, set up an inquiry or guidance session with me.