Governance of the Hybrid Cloud: Risks and Expectations
An effective hybrid cloud security strategy requires enforcement and accountability. This is where governance comes in. Basically, governance is about applying policies — the organizing principles and rules that determine how an organization should behave — relating to using services. In the cloud world, governance helps to define how multiple organizations behave, because multiple parties across different companies will be part of the governance plan.
IT governance is really a combination of policy, process, and controls. The role of IT governance is to implement, maintain, and continuously improve these controls. IT governance does the following:
Ensures that IT assets (systems, processes, and so on) are implemented and used according to agreed-upon policies and procedures
Ensures that these assets are properly controlled and maintained
Ensures that these assets are providing value to the organization
IT governance, therefore, has to include the techniques and policies that measure and control how systems are managed. However, IT doesn’t stand alone in the governance process. In order for governance to be effective, it must be holistic. It’s as much about organizational issues and how people work together to achieve business goals as it is about technology.
A critical part of governance is establishing organizational relationships between business and IT, as well as defining how people will work together across organizational boundaries. So, the best kind of governance occurs when IT and the business are working together.
Implementing a governance strategy
How does governance typically work? IT governance usually involves establishing a board made up of business and IT representatives. The board creates rules and processes that the organization must follow to ensure that policies are being met.
These rules and processes might include the following:
Understanding business issues, such as regulatory requirements or funding
Establishing best practices and monitoring these processes
Assigning responsibility for things such as programming standards, proper design, review, certifications, and monitoring applications
When moving into a hybrid cloud environment, you want your governance board to deal with issues related to how your compute resources are handled on your premises, as well as deal with your cloud provider. Cloud governance is a shared responsibility between the user of cloud services and the cloud provider. Understanding the boundaries of responsibility and defining an appropriate governance strategy within your organization require careful balance.
A successful governance strategy in a hybrid environment requires a negotiated agreement between you and your cloud provider(s). Generally, several goals are involved in cloud governance, including risk and monitoring performance.
Risks worth noting
Each industry has a set of governance principles based on its regulatory and competitive environment and its view of risk. Here is a list of risks to consider as you move into a hybrid model:
Audit and compliance risks: Data jurisdiction, data access control, and maintaining an audit trail
Security risks: Data integrity and data confidentiality and privacy
Other information risks: Protection of intellectual property
Performance and availability risks: The level of availability and performance your business requires to successfully operate — for example, alerts, notifications, and provider business continuity plans. In addition, does the provider have forensic information in case something does go wrong?
Interoperability risks: Associated with developing a service that might be composed of multiple services. Are you assured that the infrastructure will continue to support your service? What if one of the services you’re using changes? What policies are in place to ensure that you will be notified of a change?
Contract risks: Associated with not reading between the lines of your contract. For example, who owns your data in the cloud? If the service goes down, how will you be compensated? What happens if the provider goes out of business?
Billing risks: Ensuring that you’re billed correctly and only for the resources you consume
Measuring and monitoring performance
You can measure business performance by comparing production, sales, revenue, stock price, and customer satisfaction with your goals. You can measure IT performance by comparing server, application, and network uptime; service resolution time; budgets; and project completion dates with your goals. Businesses use all these measures to rate their performance compared with that of competitors and the expectations of customers, partners, and shareholders.
In cloud computing, you need to measure the effect of IT performance on the business, which by definition now includes the performance of the cloud provider.
Making governance work
Effective management of the cloud will be part people and processes and part technology. It’s really a three-part solution:
Your organization needs to set up a governance body to deal with cloud issues and to put processes in place to work with the business around enforcement. This board will have oversight responsibilities and will collaborate with the business (it should include business members). It can also develop best practices.
Your organization needs to have governance bodies in the cloud that deal with standardization of services and other shared infrastructure issues. You need some sort of interface to this group. Your level of involvement depends on your level of involvement in the cloud.
Your organization also needs to have technology in the mix that helps your organization automatically monitor what happens in the cloud.