Tuesday, December 14, 2021

Cloud Governance best laid plans : Part 1

 I have been working on cloud from 7 years now . I started with OCIC Oracle and then OCI and now with Azure, AWS and GCP. When in operations, the focus was set it right, implement it well, check it before go live, keep it running with RTO/RPO and maintain SLA. But few years ago the focus was on good implementation practices. Good cloud governance is not just about technical changes , its also involves changes to your corporate policies. Corporate policies are always tied directly to the business level risks. With only good corporate policies we can think of healthy cloud governance.

Corporate policies specifically come under 3 sections:

Business risk

Risk drives policy, and it influences monitoring and enforcement requirements. Again the risk, which a small company has versus a fortune 500 company have might be different. Also, on premise to cloud the risks are very different. The scale of deployment, size of company, customer base etc change business risks across organizations. Business risk can be driven in MVP(minimum viable product) similar to product development. Go small and then expand as the deployment increases than look for 100% mapped governance policies. You can never wait for complete holistic governance, earlier the better even if small scale.

2. Policy and compliance

Converting risks decisions into policy statements and getting compliance is crucial. Review existing policies around cloud and create or update them as needed. Most cloud providers now publish the security policies for each product, most of it is baseline. You can tweak those based on your corporate policies.

3. Processes

After defining policies the next step is to define processes which support those policies. The processes will support policy adherence. This might also include establishing cloud governance team. Have regular check on policies and processes mapping to keep them current and aligned to business. There is vast need of training when we establish these processes to keep the employees informed. Define what path will be taken when there is a violation. Automation of these processes is a great way to mitigating risks, as we take data based decisions against just an assumption.

Will discuss the cloud governance in the next post

No comments:

Post a Comment