Cloud Governance in 3 Simple Steps


The benefits of cloud computing: cost savings, flexibility, agility, and scalability are compelling, but it also brings with it new risks.  Flexibility and agility can quickly lead to Shadow IT, a term often used to describe systems and solutions built and used inside organizations without explicit organizational approval. The ability to spin resources up on the fly and scale quickly could easily cause your costs to spin out of control, and because the Cloud by it’s nature is similar to the wild wild west, you open yourself up to new security concerns.

Cloud computing isn’t “risky” any more than IT is risky. In fact, like all IT activities, cloud computing should be done in a way that both reduces risk and considers those engagements in the context of IT as a whole. The ultimate objective is to support the business in a way that balances costs with benefits.

So how does one keep control while at the same time allowing my employees to take full advantage of what cloud gives them? You do so by implementing a Cloud Governance model within your organization.

Like other forms of IT, Cloud Computing requires governance. In other words, cloud computing needs processes, policies, and procedures.

What is Cloud Governance?

Cloud governance consists of the leadership, organizational structures, and processes that safeguard information, reduce costs, and improve operational efficiencies.


Simply put, Cloud Governance, a part of your overall IT governance strategy, is a general term for applying specific controls or rules to the use of cloud computing.

Cloud governance forces you to always ask:

  • Are we doing the right things?
  • Are we doing them the right way?
  • How do we know?

Why is it important?

Cloud Governance is critically important because it ensures that enterprise expenditures related to the cloud are aligned with the business objectives, promotes data integrity across the enterprise, encourages innovation, and mitigates the risk of data loss or non-compliance with regulations.

When working with many organizations, I quickly discover that cloud is a new frontier for them which introduces many new issues which they haven’t encountered using traditional IT principles. To solve this, I have created a simple 3 step process which I use to develop a cloud governance strategy.

3 Simple Steps to Cloud Governance


Step 1 – Define your controls

There are three areas of controls to consider: Financial, Operational, and Security.

A financial control may be a limit on the number of cloud instances a user may startup, an operational control may be how many times a backup should occur, and a security control could be who may make changes to your cloud computing environment.

Many organizations mold their controls by following the requirements of the regulatory rules they must follow. HIPAA, FedRamp, and others all introduce specific things you must follow and are a great place to start.

Developing a Cloud Computing Policy document where you document these various controls is vital. Don’t fret because many cloud providers have documented example control statements that you can use to jump-start your policy document.  When developing your controls, remember that a good rule of thumb is that you should develop controls that govern the use of cloud computing, not block it.

Another good rule of thumb is to build a governance board which regularly meets to define, modify, and publish your controls. This governance board should be made up of representatives from your IT management, business leadership, lines of business, IT security, and finance.   Critical to the success of your cloud governance strategy is effective communication of what your board has decided to implement. A primary responsibility of the governance board is to do just that.

Step 2 – Implement your controls

When implementing your controls, there are three implementation types: those that detect an issue, those that prevent an issue, and those that correct an issue. You can implement your controls using many services available to you within your cloud computing provider such as AWS Config, Azure Security Center, or using a third-party tool such as Capital One’s Cloud Custodian tool.

Once you have implemented your controls, documentation and communication to teams about the implementation should be done as well. This ensures that there is no misunderstanding or miscommunication about why and how cloud resources are being governed.

Note: I will be publishing a blog post soon about how to implement controls using the Cloud Custodian Tool. Be on the look out for that!

Step 3 – Continuously audit your controls

Remember, you have developed your cloud governance model to ask three questions:

  • Are we doing the right things?
  • Are we doing them the right way?
  • How do we know?

To audit your controls, you must develop a process by which you either manually audit them or audit in real time. There are many third-party tools available that can do this for you such as Capital One’s Cloud Custodian Tool or by developing an internal audit methodology and solution.

By continuously auditing you ensure compliance with your documented controls, reduces risks, stops out of control spending, and ensure you define and redefine policy that governs but doesn’t block the use of cloud computing.

Desired Outcomes of Cloud Governance

However you choose to implement Cloud Governance within your organization, it must include the following desired outcomes to fully realize it’s potential to protect your organization from increased risks and challenges when moving to the cloud.

These desired outcomes of Cloud Governance include but are not limited too:

  • Strategic alignment of cloud security and cloud operations with business strategy to support organizational objectives.
  • Risk management by executing appropriate measures to manage and mitigate risks and reduce potential impacts on information resources to an acceptable level.
  • Resource management by utilizing information security knowledge and infrastructure efficiently and effectively.
  • Performance measurement by measuring, monitoring and reporting governance metrics to ensure that organizational objectives are achieved.
  • Value delivery by optimizing cloud investments in support of organizational objectives

Btw, one of my favorite quotes about cloud governance and what your ultimate desired outcome should be is:

Mature cloud architectures should be built and be dependent on policy-based automation and self-service to rapidly provision new services and ensure compliance with corporate standards and service-level agreements (SLAs)

By following the 3 simple steps that I’ve outlined in this blog post, you to can quickly start to govern your cloud today.

If you have any questions please do not hesitate to reach out. Cloud Governance, policy development, and helping people design secure clouds is one of the simple joys in my life so I am happy to answer any questions or point you in the right direction.


‘Hybrid Cloud Strategies Create Management Challenges’ by Mary Johnston Turner IDC #252655, December 2014


One thought on “Cloud Governance in 3 Simple Steps

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.