Adapt IT Governance to Meet the Challenges of Cloud Computing

BUs may be increasingly responsible for traditional IT decisions, but they don’t automatically become more aware of the need for risk mitigation. In most cases, they’re just looking to get the job done. With some guidance from IT, BUs are more likely to avoid inadvertently exposing the organization to cybersecurity threats. To head off potential problems, establish a governance team or cloud center of excellence that addresses the dynamics of cloud computing and a democratized IT structure. This team must be an ongoing, authoritative entity that reviews all principles, programmatic controls and policies on a regular basis.

Consider the organization’s operating model — some organizations may exist in single markets or industries, where others may be multi-line-of-business holding companies operating across a wide array of geographic markets. Each model has differing needs, which will bring unique complexities in terms of decision rights, authority/autonomy and corporate performance. A lack of clarity on authority/autonomy provided at the corporate governance level can make establishing cloud governance more challenging.

Gartner for Technical Professionals (GTP) is a specialized service that provides in-depth technical research and insights tailored to the needs of IT professionals and architects who are tasked with implementing technical domain strategies. Talk to Gartner to learn more.

Communication with BUs is critical to building a cloud governance strategy. Ensure that all those who assess, procure or operate cloud-based services agree to the organization’s operational principles and goals for using cloud technology; address all disagreements directly to prevent conflicts.

Operational principles should:

• Be actionable. They must be specific enough so that BU stakeholders understand what types of procedural compliance are required.

• Have clear implications. There must be clear, easily understood consequences to adhering (or not) to the governance goals.

• Be relevant. All principles should be grounded in the specific contexts relevant to the enterprise (e.g., strategic goals, data protection, compliance and regulatory requirements).

Start by illustrating and defining the organization’s guardrails, which are deployed to prevent a bad outcome and communicate a risk boundary.

Programmatic controls (guardrails) apply when governance policies are breached. Preventative controls prevent a risky action at the source and are typically embedded natively into cloud provider platforms. Retrospective controls can be triggered when an inspection process discovers an issue to remediate. They come into play when preventative controls are unavailable or unwieldy.

Cloud usage policies (guidelines) must have consequences if not followed. Document operational standards to communicate overall business risk and compliance requirements to BUs. An operational standards policy manual should include a number of key governance principles that all employees must keep in mind, including:

• An organizational overview and responsible parties

• A “do no harm” statement

• A statement of data ownership

• A transparency policy

• A list of approved and disallowed suppliers

• Financial account requirements and spending limits

• Contractual considerations

• External compliance requirements

• Data protection standards

• Policy exceptions, inspections and audits

• A statement that nonenforcement is not “consent”

Capture all outputs from the process of governing external clouds and use them as a feedback mechanism to revisit, improve and adjust individual disciplines. 

Audit shadow IT operations and monitor compliance. Shadow IT services threaten the principles, controls and policies established in the previous steps. Assess known shadow IT services and consider using a cloud access security broker (CASB) solution to detect other cloud computing services in use. IT should conduct such audits on an ongoing basis. Use manually auditable processes as well to gather insights wherever corporate governance principles must be followed.

Evaluate effectiveness and document improvements. Teams tasked with governance over external cloud services must have a process for identifying and addressing gaps when they arise. This may entail defining new principles, implementing new guardrails or modifying existing ones, and developing new guidelines.