Part 1: An unimplemented Cloud Governance Model is a SCAM!

Why Do You Need a Cloud Governance Model?

A cloud governance model ensures that security, continuity, costs, and their optimization are considered in the development and operation of systems. It helps guide and sometimes even enforce all stakeholders utilizing the organization’s cloud platform, such as various application vendors and development partners, to act appropriately. A clear example of the need for governance is the numerous incidents where data has leaked from a customer-managed environment.

For instance, a financial services company had an open AWS S3 bucket, containing a freely accessible 425GB database

The most recent governance failure to hit the headlines occurred just a short while ago when a former Cisco employee was able to take down the WebEx platform five months after their employment ended.

This raises the question: could it really be that a company the size of Cisco had no defined approach to cloud governance and no clear standards for cloud security? I find it hard to believe that somewhere in their offices, there isn’t an expensive stack of papers titled “Cisco Cloud Governance.”

The purpose of a cloud governance model is to build a technical implementation of the defined standards within the target cloud. However, this technical implementation often gets postponed indefinitely or is slowly cobbled together because "these things will probably get clarified as we go."

Over the years, in various cloud compliance workshops, it has become abundantly clear how complex this issue is and how unfortunately “out of touch” the internal IT or other leadership of companies can be when it comes to understanding what cloud governance means and requires. At best, 15 people from different departments of the organization gather in a meeting room, and no one really knows why they’re there. These meetings are held 4-7 times, and the consultant’s role often turns into a monologue for glazed eyes, with a few occasionally interested participants chiming in with comments. Definitions may remain incomplete or merely examples, only to be left on paper. It’s also worth noting that service providers haven’t always been clear on how to handle this.

This leads to the misconception that the job is done because the issues are documented, and there’s a collective sigh of relief. Unfortunately, this document alone guarantees nothing.

I’ve tried to think of reasons for this disconnect. One reason could be that the cloud governance model was developed with a consulting firm that only focuses on defining things without considering how the definitions should be technically implemented. On the other hand, the Cloud Advisor teams at service providers might be too detached from reality, having lost the connection to technical implementation long ago.

The definition work is also a significant effort, and the cost is such that technical implementation hasn’t been planned for. I’ve also noticed that often skilled and experienced cloud consultants aren’t interested in building the foundation of the cloud; their passions lie in the innovative solutions built on top of it. If the definitions are not taken to the level required for technical implementation, it’s challenging for a cloud consultant to translate abstract requirements into the correct configuration and create the technical implementation of the cloud governance model, known as the Landing Zone. For this reason, the implementation becomes more complex, takes longer, and costs more. In situations where systems have been developed in the cloud for a long time without a governance model, taking control of the situation and addressing gaps and shortcomings later can be extremely challenging.

In the next part, I’ll explain how we believe these challenges should be approached.

The original text was written in 1.10.2020, this is the updated version.