In a recent survey, cloud governance was ranked as the second most pressing cloud challenge by 84 percent of enterprises and 73 percent of small and midsized businesses. But what exactly is cloud governance, and why does it matter so much to organizations of all sizes?
The Difference Between Managing and Governing
There are many different examples I could use to illustrate the difference between managing and governing, but the human resources function is one to which most people can easily relate.
Every organization, except perhaps for the very smallest, has a department in charge of human resources. Despite the name, HR doesn’t manage the company staff. In fact, most people rarely talk to an HR professional unless there’s a problem such as employment-related paperwork that needs to be completed.
Behind the scenes, however, HR sets up the structure within which managers across the company manage their direct reports. These guidelines include compliance regulations such as OSHA and the EOC’s anti-discrimination policies as well as best-practices developed within the organization. Our No-Jerk’s Allowed philosophy is a good example of the latter as are the well-defined employee-review processes established by many organizations.
As one anonymous HR professional once put it, “HR’s primary function is to protect the company from its employees; not the other way around.” When everyone understands the rules and follows them consistently, risks are minimized. HR is in charge of governance; those who execute these rules are responsible for the day-to-day management of the organization.
Now apply this same thinking to the cloud, an important asset, but one that can easily expose your organization to just as many risks as your employees can. Cloud governance establishes rules that minimize the organization’s risks in the cloud.
Among other things, these rules might include:
- Compliance with industry regulations such as HIPAA, PCI, or GDPR
- Best practices for resource utilization, e.g., spinning down underutilized resources at night or on weekends to reduce costs
- Role and responsibility definitions
- Setting disaster recovery policies such as which workloads will be backed up and how often; which workloads need more sophisticated replication and rollover processes
- Alert escalation procedures
- Network policy enforcement
As IT environments get more complex and security and compliance requirements become more stringent, this list grows longer and longer. The key takeaway, however, is that cloud governance isn’t responsible for executing these rules but for setting up a structure which mitigates the risks.
When you look at the roles in IT, responsibility for cloud governance and management often merge. For example, an IT manager may be tasked with setting up the policies that govern the decisions they make regarding resource utilization as well as carrying out those decisions.
Nevertheless, the distinction between governance and management is key. Purposefully setting governance policies helps an organization think through how best to protect the organization while achieving their goals. This structure can also help IT managers make wiser decisions when the heat is on. (As it almost always is in IT!)