What is Cloud Governance?
Cloud governance is a framework that’s focused on ensuring cloud deployments are operating securely and properly. Cloud governance is composed of the policies, procedures, and tools employed to achieve these objectives. For enterprises running business-critical services in the cloud, governance must be comprehensive, supporting effective security, continued compliance, cost efficiency, and optimized operations. In addition, it is vital that governance capabilities span not just a single implementation or even all deployments within a single cloud provider, but all cloud deployments across all providers—ensuring they are all operating optimally and securely.
The Perils of Ineffective Cloud Governance
Without effective cloud governance, enterprises can be exposed to a range of penalties:
- Security risk. Much has been written about the security risks of moving to the cloud, and for good reason. Compared to traditional on-premises environments, securing data and services in the cloud represents a very different paradigm, and many organizations struggle in navigating this transition. In fact, through 2025, Gartner analysts estimate that 99% of cloud security failures will be the customer’s fault—not the cloud provider’s. Further, in the same report, analysts estimate that 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data. (Source: Gartner, “Is the Cloud Secure?” Kasey Panetta, October 10, 2019)
- Non-compliance penalties. For modern enterprises, compliance represents an increasingly vital imperative. Particularly any time personally identifiable data is stored in a cloud environment, organizations need to ensure compliance with a range of increasingly stringent privacy and security mandates—and failure to comply is an ever more costly proposition. On average, non-compliant organizations incur penalties in excess of $14M a year, and costs can run as high as $40M. (Source: Ponemon Institute LLC, sponsored by Globalscape, “The True Cost of Compliance with Data Protection Regulations,” December 2017)
- Wasted money. While the cloud offers a range of benefits compared to legacy, on-premises infrastructure, without proper governance, cloud costs can quickly spiral out of control. In fact, Gartner analysts report that in the next few years, 60% of organizations will encounter cost overruns in public clouds. (Source: Gartner, “6 Ways Cloud Migration Costs Go Off the Rails,” Meghan Rimol, July 7, 2021 ) Opportunities to optimize cost efficiency are plentiful. For example, simply by scheduling development instances to operate during business hours rather than 24 hours a day, teams can reduce costs by 70%. (Source: Gartner, “How to Manage and Optimize Costs of Public Cloud IaaS and PaaS,” March 23, 2020, Analyst(s): Marco Meinardi, Traverse Clayton, ID: G00465208) However, it takes effective and efficient governance to institute these controls.
- Poor performance. Within cloud environments, teams can leverage a broad assortment of agile, dynamic technologies. While these modern environments present a range of opportunities for developers, they also pose a number of challenges for operations teams. In containerized, dynamic, and highly automated cloud environments, resources and workloads are in virtually constant motion. With all this change, it can be difficult for operations teams to track performance and spot potential or actual performance issues—before it’s too late.
Dimensions of Cloud Governance
To be effective, teams need to establish governance that spans these areas:
- Security. Cyber attacks are a constant threat, and criminals’ tactics continue to evolve. Teams need to ensure strong controls are in place and kept current to meet these evolving threats.
- Compliance. Compliance mandates are changing constantly. So too are cloud implementations. Teams need to be able to gain the visibility and control required to ensure compliance with standards and mandates like NIST Cyber Security Framework (CSF), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability, and Accountability Act (HIPAA), and CIS benchmarks.
- Cost. Without effective governance, costs for cloud services can quickly spiral out of control. Teams need to be able to constantly ensure available resources are being utilized, and, if excess resources are identified, ensure they are deprovisioned immediately.
- Operations. Within cloud environments, it is vital that end-users always receive responsive, reliable service. Teams need to be able to institute the redundancy and adaptability required to ensure that optimized service levels are delivered at all times.
Challenges in Establishing Effective Cloud Governance
Cloud services present a fundamentally different paradigm for governance. In years past, IT operations could establish central governance controls that could be applied across an organization’s computing estate. For the most part, on-premises environments were relatively static and homogenous, which meant it was far simpler to establish and enforce uniform policies.
Within cloud environments, all that changes however. As cloud providers continue to innovate and expand service offerings at an increasingly rapid rate, development and operations teams are presented with a wide range of tools, configuration options, platforms, and technologies. While this proliferation of options offers unprecedented flexibility, it also ushers in unprecedented complexity. Without effective, nimble cloud governance capabilities, this complexity can be difficult to manage, leaving the business exposed to the potential for security breaches, budget overruns, compliance penalties, poor service levels, and catastrophic outages.
Mitigating the risks outlined above poses a number of challenges for many teams. For example, when surveyed about managing multi-cloud environments, “maintaining security, policy, and compliance” was by far the top-rated challenge, one that respondents found the most “challenging, frustrating, or difficult.” (source: ZDNet, “Cloud computing in the real world: The challenges and opportunities of multicloud,” Charles McLellan, April 29, 2021) Consequently, in many organizations, teams are forced to choose between mitigating risk or promoting developer productivity—because they lack the ability to meet both of these objectives.
“Software developers are like kids in a candy store when it comes to selecting and configuring all of the public cloud services they want to use for creating their applications,” said Torsten Volk, Managing Research Director, EMA. “This makes governance hard and the number one challenge that delays cloud adoption and deployment.”
Key Implementation Requirements
To establish pragmatic, sustainable governance in dynamic, complex, multi-cloud environments, teams need to leverage platforms that offer the following characteristics:
- Complete capabilities. Platforms must deliver the controls needed to address the four dimensions of cloud governance outlined above: security, compliance, cost, and operations.
- Simple policy creation. Teams must be able to create policies in a fast, efficient way. Even non-technical users should be able to employ simple, declarative languages for defining policies.
- Cloud-native approach. Any cloud governance platform should be cloud native—offering capabilities that are fully aligned with the technologies, architectures, and approaches employed in modern public cloud environments.
- Efficient, CI/CD-aligned deployment. It is vital that cloud governance implementations are closely aligned with the agile, fast deployment characteristics embodied in cloud environments. For example, teams should be able to use Git to deploy policies as part of their existing continuous integration/continuous delivery (CI/CD) pipelines.
- Real-time enforcement. To ensure continuous optimization, teams need more than governance reporting. If governance issues or even potential issues arise, teams should be able to establish capabilities for real-time response. This must include not only the delivery of real-time notifications but the ability to remediate potential issues automatically.
The Emergence of Cloud Governance as Code
Given the requirements and imperatives outlined above, many operations leaders are shifting to a new paradigm: Cloud governance as code. This is an innovative approach that enables teams to codify and automate cloud governance to provide a frictionless developer experience. Through cloud governance as code, teams can apply policies in an agile, flexible, and efficient manner. With these capabilities, cloud and security engineering teams can realize the following advantages:
- Strengthen security. With governance as code capabilities, security teams can more effectively and flexibly establish strong security policies, more consistently enforce those policies, and respond rapidly if those policies are in danger of being breached. In this way, teams can more effectively safeguard against the constant threat of cyber attacks.
- Address ever-changing compliance requirements. With these capabilities, teams can establish persistent compliance with evolving requirements and mandates, including General Data Protection Regulation (GDPR), NIST CSF, PCI DSS, HIPAA, and more.
- Reduce operational overhead and developer friction. Through governance as code approaches, teams can establish governance within the framework of agile CI/CD workflows, so controls can be implemented while minimizing administrative effort and development hurdles.
- Control costs. With governance as code, teams can automatically identify, right-size, and de-provision unnecessary resources. As a result, in spite of the proliferation of cloud instances, and the infinite permutations of technologies and tools that can be employed, teams can nevertheless ensure constant adherence with best practices for resource allocation and utilization.