Jazoon'12 Enterprise-wide Cloud Governance


Published on

When considering the adoption of cloud computing services, a business case cannot be complete without a discussion on governance. In particular, it is important to understand that there are likely negative consequences that could result from an ad-hoc, non-deliberately defined governance approach. Even where there are no obvious mis-steps, project-level actions and decisions that might be clearly sensible in isolation might interfere with organization-wide strategic goals if taken in aggregate. Additionally, there might be non-obvious pitfalls - the temptation of immediate implementation after a credit card payment can lead to risks out of proportion to the cost savings incurred by a specific department or team. However, although risk management is vital, it is one of many aspects of governance that should be considered.

Since the general meaning of "governance" simply refers to "the system used for exercising authority", it has come to represent different ideas to different people. Too often, end users see it in a negative light "governance means rules that make it hard for me to do my job", and legal departments see it as "rules that we need to prevent exposure to attack". We propose that if possible it is best to approach governance as "processes that encourage desirable behavior by making common things easy but hard things possible".

Finally it is important to realize that with all meanings there is no universal "correct" form of governance. Different forms of governance are effective in different situations, for achieving different outcomes, or even for achieving the same outcome in different ways.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ESA and the Cloud Quality Software Engineering
  • ESA and the Cloud Quality Software Engineering
  • ESA and the Cloud Quality Software Engineering
  • ESA and the Cloud Quality Software Engineering
  • ESA and the Cloud Quality Software Engineering
  • Jazoon'12 Enterprise-wide Cloud Governance

    1. 1. Enterprise-wide CloudGovernance ConsiderationsRonnie Brunner and Jason BrazileNetceteraS06.5
    2. 2. Most Employees in Your Company Likely…> Have used a personal > Have been convinced of a Google/Yahoo account for work product by reading a technical or> Have installed a personal app on business “success story” their company desktop/laptop > Bought project / work related> Have shared work files using things online with a credit card Dropbox/Pastebin/… > Think it is possible to save> Have used Skype for work money by using “The Cloud”> Have created an Internet user > Aren’t 100% confident they know account for company use their firm’s current strategic goals at least with respect to cloud services These can be good. These can be not so good. What decides this? 2
    3. 3. Goals of This Talk> Convince that governance should > There’s no universal “X is always be more about encouraging than good” or “Y is always bad” punishment> The important role of a firm’s > Governance happens – strategic goals and structural at least chaotically if not organization deliberately Employees tend to do the right thing if it is easy, logical, and they know what it is 3
    4. 4. What is Governance? Is it Something…> …that gets in your way when you > …that efficiently keeps common need something? workflows running smoothly?> …that is called for after trouble > …that enables the firm to realize has been discovered/publicized? its business goals?> …you’ve once been rewarded for > …that you’ve gladly helped to secretly bypassing? update/improve recently? It can be any combination of these things 4
    5. 5. Suggested Definition of Governance Governance is: The system used for exercising authority It happens anyway – whether deliberately defined or not Governance goal: Encouraging Desirable Behavior Peter D. Weill, Jeanne W. Ross: “IT Governance: How Top Performers Manage IT Decision Rights for Superior Results”, Harvard Business Press, 1. June, 2004 5
    6. 6. Why Cloud Instead of “Just” IT Governance?Cloud-first (U.S. govt.) end 2010:> All CIO’s had to define ≥ 3 projects> By Q4 2011, 1 must be deployed> By June 2012, all 3 must be“Beginning in FY 2013, weexpect cloud migrationsto save agencies about$100 million a year, a[nd]that is for email alone.”Steven VanRoekel,Federal CIO, 2012-06-07But first of all… 6
    7. 7. Cloud ComputingCloud Computing supports those Cloud Computing iswho wish to "try first, justify second" > On-demandJames Staten, Forrester, 2009 > Self-service > Pay-as-you-go Software as a Service (SaaS) Cross platform solutions Platform as a Service Cloud Enablers / (PaaS) Infrastructure as a Service (IaaS) 7
    8. 8. Traditional Risk Management View of GovernanceRisk Examples ResultRe-invention of wheel Portal proliferation; User account mess Poor services, inefficiencyIndividual “contracts” Critical service is down because key Service failure, data messvia credit card person‘s individual credit card expires (where’s what?)Single actor can chose Introduction of a proprietary SaaS Unmanaged service portfolio,wrong direction quickly solution that (only) provides a quick fix not reaching strategic goalsCosts can’t be tracked Monthly bills unpredictable due to Financial exposure andwell irregular demand. Lots of hard to track uncertainty small transactions with many providersCosts slowly increase Nobody cleans up hard disks or gets More expensive over time, rid of unused virtual machines unclear what‘s still neededData gets leaked Data protection violation, leak of Financial liability, loss of trust industry partner’s (or member state‘s) secretsData loss NASA‘s moon landing tapes, hacker Image/brand damage data vandalism, Provider default 8
    9. 9. Traditional Governance Measures I Provider Measure • User manages permissions to a fine grained level • Platform allows delegated authentication - what is authenticating users? • Organization controls where users can log in from • Multiple methods for download/backup via API • Manage individual S3 and EC2 account rights • Get users to send checksums for ensuring data integrity • Firewalls must be configured securely • New segregation of duties issues between management of cloud resources and management of instances • Encrypted file systems • Local backup of critical data and EBS/AMI backup to S3 • EBS snapshots which can be moved across zones • VersioningSource: Tim Weir, “Cloud computing: The Role of Internal Audit”, Ernst and Young, Oct 2009 9
    10. 10. Traditional Governance Measures II Provider Measure • Ensure own compliance and privacy policies • Links to internal authentication system • Data Backups • Replication to internal systems • Distributed authentication, provisioning/de-provisioning • Administrative control panel rights • Restrict documents/file sharing to just your domain • Backup your own dataSource: Tim Weir, “Cloud computing: The Role of Internal Audit”, Ernst and Young, Oct 2009 10
    11. 11. Proposal For Approaching Cloud GovernanceThe Big Picture Communication> Which decisions have to be > All (management) knows made and who should best the principles – everybody decide them can trace measures back to corporate strategyCorporate Strategy Desirable Behavior> Governance must be tightly > And when possible, prefer linked with corporate to encourage desirable strategy behavior rather than punish undesirable behavior 11
    12. 12. Big Picture – What & Who (Weill/Ross)The Basics: What (Decisions):> What decisions to make? > Principles (Op model,> Who should make them? desirable behaviors) > Architecture (What data/Who (decides): processes are standard?)> “Monarchy” (CEO, CFO) > Infrastructure (What must> “IT Monarchy” (“IT guys”) be in-house?)> “Feudal” (BU as individuals) > Business App needs> “Federal” (BUs as a group) (Identification, assessment, ownership)> “IT Duopoly” (IT + …) > Investment/Prioritization> “Anarchy” (each individual) (What’s ASAP? BU vs Org)Source: Peter D. Weill, Jeanne W. Ross: IT Governance, Harvard Business School Press, 2004 12
    13. 13. Big Picture – How (Observed results) (Ross/Weill)Comparing IT Governance Arrangements of Organizations Business App IT Principles IT Architecture IT Infrastructure IT Investment Needs Input Decision Input Decision Input Decision Input Decision Input Decision Business 0 27 0 6 0 7 1 12 1 30 Monarchy IT 1 18 20 73 10 59 0 8 0 9 Monarchy Feudal 0 3 0 0 1 2 1 18 0 3 Federal 83 14 46 4 59 6 81 30 93 27 Duopoly 15 36 34 15 30 23 17 27 6 30 Anarchy 0 0 0 1 0 1 0 3 0 1 No data / 1 2 0 1 0 2 0 2 0 0 Don’t know Most common input for all enterprisesEach cell is the percentages of the 256 enterprises studied in 23 countriesSource: Peter D. Weill, Jeanne W. Ross: IT Governance, Harvard Business School Press, 2004 13
    14. 14. Big Picture – How (Observed results) (Ross/Weill)How Top Financial Performers Govern Business App IT Principles IT Architecture IT Infrastructure IT Investment Needs Decision Decision Decision Decision Decision Business Profit Profit Profit Profit Profit Monarchy Growth Growth IT Profit Monarchy Feudal Growth Federal Profit Duopoly ROA ROA ROA ROA ROA Anarchy Most common pattern for all firmsProfit, ROA, Growth = Firms with significantly higher or increasing average three-year industry adjusted profits, ROA or growthSource: Peter D. Weill, Jeanne W. Ross: IT Governance, Harvard Business School Press, 2004 14
    15. 15. From Objective to Desirable BehaviorObjectives Desirable Behavior Potential MechanismHolistic view of business, incl. IT Seamless management incorporating IT Executive and senior management committeeIdentify strategic technologies and Business-driven IT decision making Architecture committeestandards - enforcementTake process view using IT (and End-to-end process management Process teams with ITother assets) effectively membershipConsider IT as another business Prudent IT investing - different Capital investment approvalinvestment approaches for different investment types and budgetsSpecify and measure IT service Professional supply and demand Service Level AgreementsRecoup IT costs from business Responsible use of IT Charge-backMeasure IT investments and Makes transparent goals, benefits and Formal tracking of businesscontribution to business value costs value of IToften using balanced scorecardSource: Effective but challenging governance mechanisms, MIT Sloan School CISR 15
    16. 16. An Encouraging Rather Than Punitive AttitudeExample adjustments:>  “Can’t go live w/o backup”>  Provide access to easy-to-use backup services>  “Don’t sign-up for video chat XYZ”>  Provide corporate accounts for a variety of easy-to-use collaboration tools>  “Don’t use AWS EC2” (e.g. regulatory compliance)>  Offer properly located Eucalyptus-based alternative 16
    17. 17. Additional Encouraging Examples (DR/BC)> Offer standard procedures > (Optionally) provide tools for synchronizing data (not just procedures) to remotely. These procedures automate/configure encrypt data using the processes strongest encryption > Provide escrow for all key possible authentication data> Offer virtual machine > Offer to test restoring images with the same infrastructure remotely operating system, tools, based on current data core applications, and libraries as production systems 17
    18. 18. Measures Must Be Traceable Back to GoalsExample traceable goals: Communication tasks:> Maximize profit > Trace back to goals> Maximize ROA > Publicize traceability> Maximize growth > Publicize exception> Standardize capabilities handling process> Focus on core > Publicize exceptions competencies > Executive-driven> … 18
    19. 19. Goal: Max. Profit  e.g. Consolidate, Cost-control> Centralized “dashboard”> Your 1st movers are actively sharing best practices experience> Know the “true cost” of internal IT> Governance measures known and respected by all Source: Jake Sorofman (rPath), “How to Achieve the Strategic Value of Cloud While Delivering Real ROI”, 3 March 2009 From Virtualization to “Hypercloud”: > Dynamic sharing of app workload > Capacity arbitrage > Self-service application provisioning 19
    20. 20. Goal: Standardize/Raise Capabilities  SaaS> Market leading browser-based offerings (work anywhere)> Higher “collaborativity” e.g. simultaneous editing> Lower mismatch w/partners, suppliers…> Supports more std business processes Realtime Collaborative Office Project Mgmt CRMESA and the Cloud Desktop Sharing 20
    21. 21. Goal: Maximize Growth  De-centralize> Empower business units to > Sacrifice integration for drive IT investment functionality and speed> Embed IT professionals in > Less substantial enterprise- business units to focus on wide infrastructure unit’s needs Business Business Business Business Unit A Unit B Unit C Unit DSource: Peter D. Weill, Jeanne W. Ross: IT Governance, Harvard Business School Press, 2004 21
    22. 22. Takeways of This TalkGovernance goals No universal “good/bad”> Choosing the right > The same can be an governance structure excellent or very bad mainly depends on the decision, it really depends strategic goals on the strategic goals> Encourage desirable > To be able to decide in any behavior is likely to be more specific case: Are standard successful than punish processes traced to> Make goals and measures executive strategy and are transparent (and traceable) exceptions covered by a to support encouragement known exception process? 22
    23. 23. Ronnie Brunner Netceteraronnie.brunner@netcetera.com Zypressenstrasse 71+41-44-247 79 79 CH-8040 Zürich +41-44-247 70 70Jason Brazilejason.brazile@netcetera.com+41-44-247 79 25