Cloud computing governance and compliance is critically important for a key reason: cloud computing impacts so many aspects of our business and personal lives. As consumers, we think nothing of connecting to Dropbox or using an online graphics program. As business people, we use cloud computing applications like Salesforce for CRMs, MS Office 365 for productivity, and Box for file sharing.
So here is the $64,000 question: does your business know how to orchestrate multiple cloud computing services for cost, workflow, and compliance? Chances are it does not. Adopting a few cloud applications on a limited scale is one thing. But when companies decide to invest heavily in cloud computing, then IT and their counterparts in governance and risk management must adapt to a complex new reality. This reality is called cloud governance.
The simplest definition of cloud computing is delivering cloud-based services to end-users. Computing clouds may be private, public, or a hybrid combination of the two. The major cloud computing service models are Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a service (PaaS). But whether your business uses public, private or hybrid cloud computing, proper governance is essential to harvesting maximum gain from the cloud, and to monitor an array of critical security issues.
Cloud computing offers big efficiency gains and cost advantages for customers, but introducing a cloud computing strategy isn’t a simple operation. This is where cloud governance comes in: the process of managing multiple cloud computing services for simplicity, integration, and cost control.
Cloud governance manages IT processes to receive maximum value from cloud computing investments. Although establishing cloud governance takes time and resources at the beginning, it should deliver significant cost savings wicth management processes and frameworks for cloud computing IT spend.
Cloud governance is a business-wide initiative because it involves compliance officers, risk managers, and senior executives as well as IT. However, cloud governance is closely related to IT, who is responsible for cloud computing.
Let’s look at the COBIT model, which publishes five essential process areas both business-wide and for specific stakeholders including IT. They list IT’s five process areas as strategic alignment, delivering value, managing resources, managing risk, and measuring performance.
IT’s cloud computing responsibility also includes a simple governance question: Does it work? Each cloud computing application needs to meet SLAs around three primary technical domains: quality of service, quality of service, application integration, and the biggest challenge of them all: security.
Cloud computing services operate from the providers’ remote data centers. This means that providers and businesses must maximize efficient throughput for performance and latency, and sign meaningful service level agreements (SLAs) around availability and durability.
Acceptable performance and low latency depend on efficient application code, sufficient bandwidth, geo-location, and fast server and storage throughput in the cloud and on-premise. Application availability and data durability are also major issues. Durability is not particularly difficult for cloud providers, who practice data redundancy across multiple devices and sites. (All three public clouds offer 11 nines or 0% data loss guarantees.) Availability is a different issue. Be sure to look at a cloud provider’s average application uptime, and understand how they remediate any service outages, particularly similar outages that have occurred more than once.
To explain application integration, let’s take an example where a software development company develops SaaS applications on Oracle Cloud PaaS. Their salespeople use Salesforce.com to track advertising campaigns and sales funnels. AWS Marketplace is a major product distributor, so many of their ordering links point there. Purchase information feeds into an on-premise Oracle Financials database.
The cloud and on-premise applications may or may not have internal integration points. (Oracle Cloud Adapter does in fact integrate Salesforce.) A cloud computing governance platform encourages IT to discover existing integration points, track integration dependencies, and optimize less than ideal integrations.
Corporate and cloud security are in the news: hackers and malware attempts are more common than ever, and can affect thousands of employees and millions of users with a single hack. A cloud provider’s data center is not magically immune to these types of attack. In fact, the cloud computing model has vulnerabilities of its own.
First, cloud computing aggregates much of their customers ‘data into single files and stores massive data sets in a single location. The cloud provider almost certainly builds in data redundancy against data loss, but a hacking attempt can expose huge volumes of data for download and sales. A single company can experience a disaster when a single malware penetration occurs on employee workstation. Should the same malware penetrate a cloud data center, it could compromise multiple tenants’ data.
Companies must do careful due diligence on cloud provider security. Understand how they protect their data centers against physical disasters, energy loss, and both physical and digital intrusion. Encryption is a critical security measure, and don’t leave key protection solely with the provider. Strongly consider using multi-factor authentication tools to protect against unauthorized user access. Also, ask how the cloud provider protects customer data against staff error or deliberate malfeasance.
Cloud governance has more to do with to do with process management than legal and regulatory issues. However, cloud compliance is an extremely important challenge whenever you store regulated or sensitive data in the cloud. Ask your cloud provider how they comply with government and industry regulations, and look for certified data centers and expert provider InfoSec teams. Find out how your cloud provider supports cross-border investigations. Here are some questions to ask:
Most companies already have some cloud computing services, and adding more may not seem to be much of a challenge. But diving into cloud computing can have a big impact on your infrastructure, employees, and strategic goals. It’s simply good business to adopt cloud governance for integrating and optimizing cloud computing for your own business.