Getronics - Governance and the Cloud


Published on

Governance and the Cloud

After a few years of hype, Cloud is now becoming part of the mainstream enterprise IT landscape. As with any technology or technology model, uptake demands compliance mechanisms. If you rely on something, you must have the rules and metrics required to set the standards of performance, usage and return.

In this white paper, Getronics examines cloud governance, with particular focus on how cloud-specific governance becomes an integral element of overall IT and business governance models.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Getronics - Governance and the Cloud

  2. 2. INTRODUCTIONAFTER A FEW OF YEARS OF HYPE, CLOUD IS NOW BECOMING PART OF THE MAINSTREAMENTERPRISE IT LANDSCAPE. AS WITH ANY TECHNOLOGY OR TECHNOLOGY MODEL,UPTAKE DEMANDS COMPLIANCE MECHANISMS. IF YOU RELY ON SOMETHING, YOU MUSTHAVE THE RULES AND METRICS REQUIRED TO SET THE STANDARDS OF PERFORMANCE,USAGE AND RETURN.In this white paper, Getronics examines cloud governance, withparticular focus on how cloud-specific governance becomes anintegral element of overall IT and business governance models.For many, the barrier to cloud-adoption has been largely abouttrust. Different organizations will always need to decide whichIT delivery models are most suited to their own circumstances.Hopefully, Getronics’ analysis of cloud governance will at least,help to bring clarity to this essential aspect of cloud decision-making.WHO IS THIS PAPER FOR?Getronics hopes that this paper will be useful to IT managers,and especially to those with a professional interest in govern-ance. The paper is not overly technical, and also covers topicswhich members of Legal and Procurement teams in particularmay find interesting.On a more general level, we highlight the importance of beingable to measure the effectiveness of cloud delivery in terms ofoperational and business value, and in that respect, there maybe members of operations and business development who willalso find interest here.Getronics has a number of governance specialists who arespecifically focused on the impact of cloud, and if you areinterested in discussing any of the ideas raised in this paper,do feel free to contact us directly via Maurice Remmé or look at – DEFINITION AND STRATEGYWe will start with a formal definition. Getronics finds theNational Institute of Standards and Technology (NIST I) defini-tion serves well: “Cloud computing is a model for enablingubiquitous, convenient, on-demand network access to a sharedpool of configurable computing resources (e.g., networks,servers, storage, applications, and services) that can be rapidlyprovisioned and released with minimal management effort orservice provider interaction.”
  3. 3. BROAD ON-DEMAND RAPID ELASTICITY MEASURED SERVICE NETWORK ACCESS SELF-SERVICE ESSENTIAL CHARACTERISTICS RECOURCE POOLING SOFTWARE AS A PLATFORM AS A INFRASTRUCTURE AS A SERVICE SERVICE (SaaS) SERVICE (PaaS) SERVICE (IaaS) MODELS DEPLOYMENT PUBLIC PRIVATE HYBRID COMMUNITY MODELSFigure 1 Visual model of NIST working definition of cloud computingFor a non-IT audience, we can make this a bit less formal: The need to balance promise and control is complicated by the“By using applications and resources that are delivered over the fact that the cloud, for the first time, puts the service consumerinternet, cloud computing gives enterprises and individuals in the driving seat. When a business user can buy access to aaccess to resources as required - paying for use not ownership.” cloud-based service “on expenses”, the landscape of control changes. For this reason, the IT governance model mustOver the last twelve months, Getronics has seen cloud rise to respect this new agility without abandoning traditionalthe top of the agenda in discussions with clients, and with this, management responsibility.a desire to develop more formal and more structured cloudstrategies and governance frameworks. To resolve this dilemma, organizations first need to understand what they expect from cloud, and must then follow throughWe have also seen that for many, cloud computing presents a with strategy, policy and design architecture. The approach todilemma: IT decision-makers need to balance the promised cloud must be in tune with the organization’s business strategy,benefits on the one hand, with the need for control on the and this demands that cloud governance is fully and clearlyother: integrated with their overall IT governance structure.• Promise - zero CapEx, scalability, agility and the chance to respond rapidly to changing behavior• Control - enterprise-wide governance, compliance, cost- effectiveness, co-existence with existing IT infrastructure and service level control.
  4. 4. GOVERNANCE –TERMS OF REFERENCETHE CHARTERED INSTITUTE OF MANAGEMENT ACCOUNTANTS EMPHASIZES THAT THERE ARETWO DIMENSIONS OF ENTERPRISE GOVERNANCE - CONFORMANCE AND PERFORMANCE -AND THAT THESE TWO DIMENSIONS NEED TO BE IN BALANCE. ENTERPRISE GOVERNANCE BUSINESS CORPORATE GOVERNANCE GOVERNANCE I.E. CONFORMANCE I.E. PERFORMANCE ACCOUNTABILITY VALUE CREATION ASSURANCE RESOURCES UTILISATIONFigure 2 The Enterprise Governance Framework - CIMAII• Conformance covers issues such as governance structures As IT and business strategies become increasingly enmeshed, and the assignment of accountability. It focuses on so IT governance increases in importance - and as cloud conformity and control, on legal adherence and liability. becomes increasingly mainstream, so its own governance• Performance covers strategy definition and value creation. framework comes to have a direct impact on both IT and Also known as business governance, this activity must business performance. deliver the evidence a board of directors needs to set strategy, and to define both the levels of acceptable risk and the key performance drivers.AND IT GOVERNANCE?As a subset of enterprise governance, IT governance mirrorsexactly these dimensions of conformance and performance.In this respect, there are two reasons why IT governance matters:• It ensures that IT resources and practices are managed responsibly• It ensures that IT resources and practices are fit-for-purpose, and aligned with the overall business needs of the organiza- tion they serve
  5. 5. The IT Governance Institute identifies five domainsIII whichmust be covered if IT is to support business goals and delivershareholder value, and each one of these applies to bothtraditional and cloud-based approaches. Some are primarilystrategic, some operational, and some both: Domain Focus Strategic (S) Operational (O) 1 Strategic alignment Focus on aligning IT and business strategies - S collaborative solutions feature prominently. 2 Value delivery Focus on the cost of IT and on measuring its business S value. 3 Risk Focus on safeguarding IT assets, disaster recovery S/O Management and continuity. 4 Resource Management Focus on knowledge and IT infrastructure. Spans O acquisition, development and management of IT resources (including cloud services) from the pers- pective of people, process, and technology. 5 Performance Management Focus on tracking project delivery, execution and O monitoring of the IT services that support the business.Figure 3 shows how in a traditional IT governance model, thesefive domains relate to each other in the overall objective ofcontributing to the enterprise goal of shareholder value. SHAREHOLDER ENTERPRISE GOALS VALUE STRATEGY VALUE STRATEGIC ALIGNMENT DELIVERY RISK MANAGEMENT OPERATIONAL PERFORMANCE RESOURCE MANAGEMENT MANAGEMENTFigure 3 IT Governance model
  6. 6. For Getronics, these five domains remain the foundation of ITgovernance. The emergence of cloud does, however, change theorientation of the model. This change is shown in Figure 4, inwhich performance, resource and risk management all take ona new tactical importance. SHAREHOLDER ENTERPRISE GOALS VALUE STRATEGY VALUE STRATEGIC ALIGNMENT DELIVERY RISK MANAGEMENT TACTICAL PERFORMANCE RESOURCE MANAGEMENT MANAGEMENT PUBLIC CLOUD OPERATIONAL PERFORMANCE RESOURCE MANAGEMENT MANAGEMENT PRIVATE CLOUDFigure 4 IT Governace influenced by public cloudThe hierarchical governance flow remains unchanged, as it With an IT governance model influenced by cloud, the controlcascades from enterprise to corporate and then to IT. As cloud model becomes particularly important. Getronics sees threebecomes an integral component of the governance framework, flavors of control model:it blurs the separation between pure IT and business opera- • Centralizedtions. This is thanks, in part, to the fact that cloud models can • Decentralizedto a large extent be driven by business service delivery rather • Hybrid.than by the ownership of IT assets. The choice of model will be made according to the best organizational fit, and will be influenced by culture, market and maturity. The key variations in these control models are shown in the following table: Model Local Authority Define Policies & Rules Monitoring & Reviewing Centralized Low Council Council Hybrid Mid Combined Combined Decentralized High Organizational Unit/Location Organizational Unit/LocationTable 1 Governance models
  7. 7. CLOUD AND IT GOVERNANCE:TOGETHER OR APART?Getronics believes strongly that although the cloud is maturing,effective cloud governance will only be achieved if it is treatedas an integral element of IT governance. In that position, likethe overall IT governance structure, it will have a particularlyclose relationship with Security Governance. The overallgovernance framework is shown in Figure 5, below. BUSINESS GOVERNANCE ENTERPRISE SECURITY GOVERNANCE IT GOVERNANCE CLOUD GOVERNANCE GOVERNANCE CORPORATE GOVERNANCEFigure 5 Governance frameworkThis integration will require a new governance council to be The regulatory and statutory requirements affecting cloudestablished within the control model. It will need to reflect the strategy will need particular attention. Depending on sectorcloud strategy of the individual organization, and will need to and on geography, for example, the law regarding the physicalmirror cloud usage according to infrastructure, platform and location of storage and service provision will dictate the cloudapplications. options.Sitting within IT governance, the cloud governance council will Risk management and continuity will also be affected.need to set and define: How, for example, will your governance framework prepare for• Cloud service policies and processes contingency and continuity in scenarios in which a provider of• Quality of Service standards and SLA levels with regard to: cloud-services ceases to trade, or is acquired by a third party? - Infrastructure - Platform - Applications• Cloud security with regard to: - Confidentiality, integrity, and availability - Identity and access management
  8. 8. All cloud governance also needs to be able to operate in “runtime”. Because cloud delivery is, by definition, on-demand, theassociated governance model must be able to accommodateinstant changes in usage volumes or in switches of deliveryrouting, storage or processing. CLOUD COMPUTING STRATEGIC VALUE RISK RESOURCE PERFORMANCE DOMAINS FOR IT ALIGNMENT DELIVERY MANAGEMENT MANAGEMENT MANAGEMENT GOVERNANCEFigure 6 Cloud Domains for IT GovernanceSTRATEGIC ALIGNMENTJust as IT governance must be tuned to enterprise strategy, soit is for cloud governance. Cloud vision and strategy can only bemeaningful if choices are made according to strategic enterpriserequirement.The strategic alignment domain is the foundation for every-thing else, and it needs to be right. It will evolve, as the clouditself evolves. Most importantly the governance council willneed to check the model continually against the wider IT andcorporate governance framework: changes there will meanchanges here.Managing Architecture and FunctionalityThe reference cloud architecture must be aligned with thebusiness, and must respect industry, regulatory and companystandards. It must place even more emphasis on businessobjectives than traditional non-cloud architectures. It mustalso take into full account all aspects of integration andinteroperability with existing IT usage.Security, availability and contingency are high on the agenda,and must take into full consideration the impact of a change inservice provider. Cloud governance will also require new skills,and the model must consider roles and responsibilities,particularly relating to provisioning, security, and operations.Sourcing needs particular attention. As cloud-based servicescan be purchased without the need for specialist IT knowledge,relationships between business purchasers and IT functionsneed special consideration.Cloud-based services can be highly-configured according todifferent professional and functional need. Strategic alignmentmust take this into account, making it possible for the enter-prise to build a clear picture of requirement, and to trackchanges in need and use. How this is done will depend on theculture of individual organizations: some will be proscriptive,others will not.
  9. 9. VALUE DELIVERY As a result, cloud governance models must be able to assessValue delivery must define, implement and manage the risk from this entirely new perspective.processes which underpin cloud strategy. It must translatecloud strategy into a program of tactical and operational action. RESOURCE MANAGEMENTThis will include the processes for service acquisition, integra-tion, and provisioning and will embrace the management of Cloud Sourcinglegal, technical and organizational risk. Directory services, Sourcing models can differ greatly with cloud: public, privatealong with identity management and usage metrics are also and hybrid cloud approaches need us to think differently aboutcritical: because cloud is based on consumption – it is essen- governance.tial that you can monitor and measure what is being consumed,in what quantity and by whom. With regard to sourcing, cloud governance must consider vendor continuity, quality-of-service, business reporting andThis domain is closely linked to the performance domain – compliance, cost modeling and more is through effective monitoring that the priorities for changebecome evident. Cloud cuts across such a broad spectrum of activities which previously sat within the IT governance framework. Because of this, it is necessary to develop new rules and new metrics builtRISK MANAGEMENT around service provision and validation.Just as with IT governance, risk management in cloudgovernance must fulfill three functions: The promise of a shift from CapEx to OpEx is held up as a major• Assessing risk incentive to shift to cloud. This does, however, raise questions• Mitigating risk, and around sourcing governance. Where models are “pay-per-use”,• Measuring the success of that assessment and mitigation it becomes difficult to undertake cost and quality comparisons either between cloud-based and traditional models, or indeedThis is not a static scenario. Risk shifts continually, and the between different cloud governance model must be able to track these shifts. Cloud sourcing governance, also needs to take into account,Even though much of the terminology of cloud is new, the the ease with which cloud services can be purchased directly ontechnology is rooted in well-established virtualization prac- departmental budgets, or even on individual expense accounts.tices. What is new, are the service delivery and commercializa-tion models, and as with any untested area, these require Application portfolio planning & lifecycleparticular attention with relation to risk. Even when cloud becomes fully established, most enterprises will continue to rely on a combination of traditional and cloud-Thomas J. Betcher establishes a clear analysis of risk and based in Cloud Computing: Key IT-Related Risks and MitigationStrategies for Consideration by IT Security Practitioners: Here again, comparison becomes a challenge. Rather than focusing on the cost of managing the application portfolio,• Policy and Organizational risks: Lock-in, loss of governance, cloud sourcing governance focuses more on consumption and compliance challenges, loss of business reputation, cloud fitness-for-purpose: the actual cost of management becomes service termination or failure. indivisible from the cost of consumption.• Technical Risks: Availability of service, resource exhaustion, intercepting data in transit, data transfer bottlenecks, New applications and new functions, however, must be sourced distributed denial of service. as required, and the cloud governance sourcing model must• Legal Risk: Subpoena and e-discovery, changes of jurisdic- make it possible to analyze requests in terms of current usage, tion, data privacy, licensing. and to safely allocate development, testing and distribution in a way that can be subsequently re-charged according to usage.One particularly important observation in the Betcher reportrelates to risk and frequency. Many traditional IT governance Reporting transparency and business analysis are two particu-models are designed around IT life-cycles of around three larly interesting aspects of cloud sourcing governance.years. Within these cycles, IT audit leaves a detailed trail of Because both access to applications and usage visibility becomeversion and upgrade information. instant across the enterprise, it becomes far easier both to promote common usage, and to amortize development andWith the cloud, this changes. Not only does the cycle shrink management costs.massively (change can now be measured in hours and weeksrather than in years), but the actual versioning of the technologybehind the service can remain completely hidden from theconsumer.
  10. 10. People and skills to the tactical layer of the governance framework, at leastThe skills profile of an enterprise is central to IT governance – when shared and public cloud services are is not just the technology which must be fit for purpose, butthe professional capabilities of the people who manage it. These KPIs and thresholds should be defined to reflect busi- ness rather than technology performance, and for this reason,Cloud has a high impact here. Over the last five years, Getronics this domain is especially closely tied to strategy alignment.has moved rapidly from being a traditional IT service provider tobecoming a services aggregator, and the emergence of cloud Good reporting is the foundation of both effective performancehas had a major influence in this shift. Getronics has witnessed management and substantiated improvement first hand a reduction in demand for hardware and product- Two things happen in parallel here, as monitoring performancespecific skills along with a corresponding increase in the becomes twinned with monitoring conformance. This can beimportance of skills in managing a partner eco-system. seen clearly, for example, when analyzing usage in the light ofThis skill shift must also be considered in the context of data protection regulation.governance models for sourcing. The cloud control framework is closely related to corporate or IT control frameworks such as CobiT, and is used both to definePERFORMANCE MANAGEMENT and measure conformance. Getronics uses the cloud controlThis domain sets the KPIs and thresholds for the usage and matrix from The Cloud Security AllianceIV as a foundation for itsprovision of cloud services. As indicated previously, Getronics cloud control framework. The Cloud Control Matrix is part of thesees resource and performance management moving upward CSA GRC Stack. Control Area Control Control Specification Cloud Service Delivery Scope Applicability ID Model Capability SaaS PaaS IaaS Service Customer Provider Information IS 32 Policies and procedures shall be established Security and measures implemented to strictly limit Portable/ access to sensitive data from portable and Mobile mobile devices, such as laptops, cell phones, X X X X X Devices and personal digital assistants (PDAs), which are generally higher-risk than non portable devices (e.g. desktop computers at the organization’s facilities). Information IS 33 User access to program source code shall be Security restricted to authorize personnel. – Source X X X X Code Access Restriction Information IS 34 The use of utility programs that might be Security capable of overriding system and application – Utility controls shall be restricted. X X X X X Programs Access Legal – LG 01 Requirements for confidentially or non Non Disclo- disclosure agreements reflecting the organiza- X X X X X sure Agree- tion’s needs for the protection of data shall be ments identified and reviewed at planned intervals. Legal – LG 02 Agreements with third parties accessing, Third Party processing, communicating or managing the Agreements organization’s information assets, or adding products or services to information assets shall cover all relevant security requirements. X X X X Agreements provisions shall include security (e.g. encryption, access controls, and leakage prevention) and integrity controls for data exchanged to prevent improper disclosure alteration or destruction.Figure 7 Illustrative extract of the CSA Cloud Control Matrix
  11. 11. IT GOVERNANCE COUNCILBefore considering ensuing actions for cloud governance, we the existing charter, and to ask how the new cloud mandate iswill take a moment to consider a possible organizational going to be represented within it.structure. As mentioned previously, Getronics firmly believesthat an effective cloud governance model must be fully Clarity and focus are the watchwords, and hopefully you willintegrated with IT governance, and will, as a result, be organ- find the five domains outlined in this paper a useful guide inized in an IT governance council. considering the precise focus and pointer to the required roles and responsibilities.The council for cloud governance will, as a result, be embeddedwithin the IT governance council, and will share the same The figure below, shows the structure of Getronics’ own ITobligations in terms of alignment with corporate and enterprise governance council, indicating how cloud has been embeddedgovernance and, in particular, with security governance. within it. Note how the Cloud Innovation Council is formally integrated in the IT Governance Council, and in turn, is posi-The council’s charter becomes its most fundamental tool. If you tioned to draw on business and technology expertise fromare establishing a cloud council within your existing IT govern- across the organization. The Portfolio Board are particularlyance council, it will be important to take a thorough review of influential. SENIOR EXECUTIVE(S) FINANCE INTERNAL AUDIT DEPARTMENT DEPARTMENT IT GOVERNANCE COUNCIL • CISO, CIO, CCO PORTFOLIO BOARD OF • BUSINESS EXECUTIVES BOARD DIRECTORS • PROCESS MANAGERS • IT & OPERATIONS • CLOUD INNOVATION COUNCIL LEGAL EXTERNAL DEPARTMENT PARTIES BUSINESS IT DEPARTMENT OPERATIONS EXECUTIVE(S) EXECUTIVES EXECUTIVES MANAGERS, MANAGERS, MANAGERS, TEAM LEADERS TEAM LEADERS TEAM LEADERSFigure 8 IT Governance Council
  12. 12. RECOMMENDATIONSGetronics has already adopted cloud-based delivery for a large REFERENCESproportion of its own infrastructure, platform and services. I NIST, National Institute of Standards and Technology SpecialWe have invested significantly in the development and imple- Publication 800-145 (Draft) 7 pages (January. 2011),mentation of our cloud governance model as a result. SP-800-145_cloud-definition.pdfWe see traditional and cloud-based services running concur- II The CIMA Strategic Scorecard, March 2005.rently in most enterprises for many years to come, and do not the corporate responsibility of addressing cloud /tech_dispap_CIMA_strategic_scorecard_0305.pdfgovernance as both a strategic and operational priority. III Board Briefing On IT Governance 2nd edition, 2003 , IT Governance Institute,Early excursions into cloud for many organizations were not formal – that’s normal. There is a risk, however, Documents/BoardBriefing/26904_Board_Briefing_final.pdfof allowing informal interest to gather momentum without IV Cloud Security Alliance,control, and it is important to build monitoring into the loop. always, the longer you leave it, the tougher it gets. ABOUT THE AUTHORGetronics recommends its clients to formally task its own IT Maurice Remmé is responsible for Getronics Data Center andgovernance professionals with the assessment of cloud and Cloud initiatives worldwide and has a primary focus on vision,governance. It recommends that this is done as an integral strategy and portfolio development. Maurice has over 10 yearselement of overall IT governance, and that it is done while of experience in the ICT industry and at this moment is activelyembracing both security and enterprise strategy. involved in the development and implementation of Getronics’ Services Aggregator strategy.If you would like to discuss any of these ideas or objectives withour own cloud compliance specialists, please do contact us.
  13. 13.