DEV Community: sintetico82

Cloud Governance Management System

sintetico82 — Mon, 10 Jan 2022 11:40:36 +0000

In this article, we will try to build a Cloud Governance Management System (CGMS), which is an integrated system consistent with Cloud services and allow to reach Cloud objectives. The main CGMS’s components are:

Principles;
Reference models, policies, processes, procedures and tools;
Organizational structure, roles and responsibilities;
Monitoring and Key Performance Indicators (KPI).

We already discussed principles principles, so let see more details about reference models, policies and processes.

Reference models, policies, processes, procedures and tools

Governance and management are activities based on processes. For creating a reference model we need to identify which are processes for the company that will use both for cloud governance than management.

For each Cloud principle, it is defined a relative governance’s process. The process and his name should represent what is needed to realize the principle. In this way, a map that identifies the IT processes to follow is constructed, based on cloud governance principles. Of course, principles and processes can be already present in the company, and nowadays there are many well-established standards like COBIT 5 and ISO/IEC 38500. While the IS/IEC 38500 standard only defines IT governance principles, the COBIT 5 framework also defines activities and processes.

So, we can use as a basis the COBIT 5 framework for processes. It subdivides the processes into two areas, governance and management. The two areas in total have 5 domains and 37 processes:

Governance of Enterprise IT
- Evaluate, Direct and Monitor (EDM) - 5 processes.
Management of Enterprise IT
- Align, Plan and Organise (APO) - 13 processes;
- Build, Acquire and Implement (BAI) - 10 processes;
- Deliver, Service and Support (DSS) - 6 processes;
- Monitor, Evaluate and Assess (MEA) - 3 processes.

If we consider the EDM area, we can make a link with Cloud services principles and the activities inside the EDM area. We define ti activities in Evaluate, Direct and Monitor area, associate processes to principles, and activity to processes.

for exemple:

Tools are extremely helpful for standardizing policies, processes and procedures. Using the right tools, the company can ensure the right execution of the processes. Of course, some tools can be “nice to have”, but other tools are mandatory for an effective CGMS. So, very important tools are a ticketing system to track and manage service requests and incidents, CMS to store documented processes and procedures, and collaboration tools to coordinate schedules and other shared information with Cloud service providers (CSPs) and stakeholders.

In this example model principles is the main container, governance direct with plans and policies the management, evaluate their proposals and monitoring management performance and conformance fo continual improvement.

Data, architecture and structure are a set of principles to support the privacy, confidentiality, availability, integrity and security of data on public and private clouds. Compliance and Risk Management are controls to manage, minimize and transfer risks.

Management contains management and operations activity, for example:

Cloud service provider management
- Change management
- Cloud vendor management
- Monitoring and measurement
- Service level management
- Real-time alerting
Operations
- Service management integration
- Availability management
- Capacity management and scalability
- Business continuity and disaster recovery
- Operations management
Finance management
- Consumption model
- Total cost ownership model
- Benefits realization
- Adoption costs
Security
- Identity and access management
- Data protection
- Security operations
- Platform security

Tools support all areas (the icons are only an example of software tools to use, but of course, every company chooses their tools, both digital or physical like an old fashion paper).

Conclusion

Cloud Governance Management System can be hard to create and maintain, also the amount of plans, policies, controls, people to govern and manage everything highly depends on the company nature and its principles and goals.

References

Fulton, Lita. Cloud Governance and Management Made Simple: Practical Step-by-Step Guide for Small and Mid-Sized Organizations

Align Cloud services with business goals

sintetico82 — Fri, 12 Nov 2021 14:29:08 +0000

You know what are the impacts of Cloud adoption on your governance and you start with building your Cloud principles, what next?

An important phase at this point it’s the alignment of company business goals with Cloud services. If the Cloud objectives are not aligned with real company needs, Cloud service adoption can be a step backwards in terms of cost and efficiency rather than a qualitative advantage. Let better distingue the difference between goals and objectives.

Goals are general guidelines that explain what you want to archives in your company. They are usually long-term and express global visions such as “give to the customers a better experience”, “security-first”, “reducing the time to market”, and others;
Objectives define strategies or implementation steps to attain the identified goals. Objectives are specific, measurable, and have a completion date. So, from previous goals examples, we can have these objectives such as “design a new user interface”, “define security policies and controls”.

So, as we have seen, Cloud services objectives are specific and measurable and they must be followed to reach the strategic objectives of the company business. Cloud’s objectives are generally a subset of IT objectives.

Align Cloud services with goals and objectives, and use or adapt them to respond to factors of strategy change, to respond to stakeholders, operational changes.

Factors influencing strategy changes can be internal or external to the business organization. Some can be customer inputs, new technologies, new laws, or internal factors from teams new skills or dissatisfaction. Are we going in a good direction? should we change something?

For example, the company doesn’t want to invest in IT CapEx, it’s not their core business to manage a CED infrastructure, so factors of change can be the need for cost reduction and the availability of newly available technology. So, a simplified example of the alignment can be the following:

Goals
- Take advantage of new technology for cost reduction and management of CED infrastructure.
Strategies
- Migrate all services to a Public Cloud computing environment for taking advantage of the pay for use model.
Strategic objectives
- Organize the migration in two phases. The first objective is to migrate 30% of business services to the public Cloud in the first semester of this year;
- In the second phase, migrate the remaining services by the end of the year.
Operational objectives
- Configure the public cloud infrastructure by February;
- Prepare applications X, Y, Z for migration;
- Execute migration of X, Y, Z applications;
- and more.

What about factors of operational changes? These kinds of factors are generally connected to operational problems, events or anticipated risks. For example, customer users can encounter poor application performance, a security violation like a data breach or a simple down of servers, these are considerating factors of operational change.

We can create a list of problems and risks known to the IT department and for these problems and risks define objectives for resolution and mitigation that satisfy the factors of changes. Of course, not all factors of change can be related to Cloud. Some examples can be the following:

A factor of operational change: the business core application has a performance degrade during office time.

Objectives:
- Change the application architecture for adopting a horizontal scaling model;
- Use CDN for static resources;
- Switch some synchronous operations to asynchronous.

Conclusion

Do not just start some virtual machine or fancy services on the Cloud. It’s ok for the experimentation period, but running business core services without a strategy, in the long run, can hurt in terms of cost and efficiency.

Identify organization goals and strategic objectives, and align Cloud services to them. Technologies must serve the company business and not vice versa.

References

Fulton, Lita. Cloud Governance and Management Made Simple: Practical Step-by-Step Guide for Small and Mid-Sized Organizations

Introduction to Cloud Computing governance

sintetico82 — Sun, 24 Oct 2021 10:00:00 +0000

Every day, more and more new organizations decide to adopt the Cloud Computing paradigm. The adoption of this paradigm imposes some changes in company organizations, introducing new challenges and opportunities.

In this article, I would like to discuss the Cloud computing definition, opportunities and impacts on IT governance. After, we will follow a path that conducts us to build a Cloud computing governance, putting in evidence the principal aspects to consider during the adoption of the Cloud computing paradigm.

Cloud computing

Cloud computing, or Cloud, it’s a paradigm of on-demand services from a provider to a client through the internet web.

This model allows to drastically simplify the management of the IT systems, transforming the physical infrastructure to virtual services available on needed consume.

Today, we can identify these typologies of cloud computing:

Public cloud : claimed and managed by specialized organizations in the cloud. They supply through the internet computing resources. Microsoft Azure, Amazon AWS, Google Cloud Platform, are examples of public cloud;
Private cloud : a private cloud is referring to resources of cloud computing only from one company or association. A private cloud can be site in the company Data Center;
Hybrid cloud : these types o cloud, unify public and private cloud. They allow moving data and workloads from the private and public cloud.

The opportunities of Cloud computing

Cloud computing offers various advantages:

Cost calibration : using service models like IaaS, PaaS and SaaS, the companies can adjust their cost on the resources used (pay for use). Furthermore, you can reduce the compressive cost connected to the physical Data Center location on-premises (rent, power, physical security and others);
Security : the main public Cloud provider offers a very high level of security for their system. They continuous make security updates on their platform (if you use the PaaS or SaaS model), guarantee the physical security of their Data Center, advance technologies for data protection, and usually, are compliant with the most important security standards;
Flexibility : it’s one of the most strong features of the Cloud. The cloud allows you to scale up your resource theoretically infinitely when the resources demand are growing;
Reliability and availability : the cloud enables the possibility to make services with a high level of reliability and business continuity;
Innovation : it makes easy access to modern and innovative technologies to use within your services.

Features of cloud service

To better understand what are the impacts on IT governance, we need to identify which are the features of Cloud computing services. The National Institute of Standards and Technology (NIST) define six different features:

On-demand self-service : a user of services can, independently, carry out the procurement of resources of cloud computing, like example storage space and server time, as needed automatically without requiring human interaction with the service provider;
Broad network access : capabilities are available over the internet, with standard API and with a different client (es smartphone, laptops, etc.);
Resource pooling : services and resources available on the provider, are organized in a multi-tenant model for serving different users, using both virtual than physical resources dynamically allocated to meet the needs of applications. The allocated resources are independent of physical location and users doesn’t have direct control over them but they can specify on a high level the geographical location;
Rapid elasticity : the resources can be elastic provisioned, often also automatically, to ensure high scalability both outward and inward. From the users perspective, the resources look infinite, and it is given to them the opportunity to buy at any time;
Measured service : a Cloud system, automatic monitoring and optimizing resources to use based on the type of service (es. Storage, compute, network bandwidth). Used resources can be monitored, controlled and connected ensuring transparency between users and providers.

Impact on the IT governance

Now that we know the features of cloud computing, what is the impact on IT governance? These features introduce some consideration about traditional service administration and management on-premises.

On-demand self-service

The organization can accelerate the application deployment process.
The easy access to the demand for new resources involves more control over cost budget, management and tracking of their use.
The hardware lifecycle it demanded to the cloud service provider.

Broad network access

Authentication and authorization impact.
IAM management and integration with organization authorization.
Communication between the cloud service provider and IT member of the organization.
Operational Level Agreements (OLAs)

Resource pooling

Security.
Legal aspect to be compliant with local law.

Rapid elasticity

With the easy and virtual infinity possibility of resource demand, great attention is putting on cost budget.

Measured service

Service Level Agreements (SLAs)
Management billing of the consumed services.

Moreover, the level of the impact depends also on the Cloud model that is adopted like Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS).

Conclusion

As we have seen, the introduction of cloud computing into the organization has an impact on roles, responsibilities, processes and measures. Without appropriate governance that provides guidelines for risks mitigation, delivering efficient services, the organizations can be in trouble and fail to achieve cost-saving and a good service offering level. The Cloud governance should operate and be integrated with the actual organization IT governance, extending this one with its characteristics.

Now that we know what are the impacts on IT governance, we can try to understand how to build a Cloud computing governance. We will see how in the next articles.

References

ISO/IEC 17788:2014: Information Technology – Cloud Computing – Overview and Vocabulary; (www.iso.org/iso/catalogue_detail?csnumber=605455)
ISO/IEC 17789:2014: Information Technology – Cloud Computing – Reference Architecture; (www.iso.org/iso/catalogue_detail?csnumber=60545)
National Institute of Standards and Technology (Special Publication 500‐291)

Principles of Cloud Computing governance

sintetico82 — Fri, 22 Oct 2021 22:00:00 +0000

From a high level, the governance goal is to ensure that we are doing the right things in the right way. The questions we are trying to ask are the following:

Are we doing the right thing?
Are we doing it in the right way?
How we can understand it?

Cloud computing governance it’s a comprehensive view of IT governance focused on responsibility, the definitions of the right decision and the balance between benefit/value. Risk and resources inside a Cloud ecosystem. The governance helps us to ensure that every expense relative to the Cloud are aligned with business objectives, it promotes data integrity, foster technology innovation and mitigate the risk of data loss or not compliance.

We can say that Cloud governance it’s an extension of IT governance, something we need to integrate into the existing one inside the organization and not replace.

We need to distingue between governance and management because sometimes we can confuse them. Governance defines the strategic direction and establishes an enabling system inside the organization. Management, use the governance enabling system to put in place the strategic direction of the governance.

Principles of IT governance, the bases for the Cloud governance

Every governance starts from principles. Also for cloud governance is necessary to define adequate principles. One good start point is from the ISO/IEC standard 38500 (Information technology — Governance of IT for the organization); it shows six principles:

Responsibility: the responsibility of the use of the IT system, should be assigned clearly to individuals o groups;
Strategy: the organization business strategy, from a high level, should consider and define the IT direction, given the base for a correct alignment of activities with the organization need;
Acquisition: the decisions to invest and get IT assets should be taken considering valid reasons and success factors. These factors are not only for managing the ongoing business but they should consider future changes and challenges;
Performance: the IT service demand and capacity both for day by day operation than for new system development should be balanced for ensuring a good level of performance;
Conformance: all the policies and practices, internal or external, relative to the IT use must be formally identified, defined, clearly communicated, implemented and enforced;
Human behaviour: people inside the process, IT policies, practices and decisions, must be always respected.

Nowadays, there are many IT governance frameworks, among which the most important are:

TOGAF 9.1: it’s an Open Group standard. The framework provides guidelines of governance for enterprise architecture;
COBIT 5: it’s a framework for IT governance;
ITIL v3: it defines guidelines for governance of services management. It’s very important for cloud computing governance;
The Open Group SOA Governance Framework: it provides guidelines of governance for service-oriented architecture.

Cloud computing governance is intended as a subset of IT governance and Enterprise Architecture governance. It contains all the unique features that are essential for Cloud governance.

Principles of cloud governance

The principles drive the design of the Cloud governance and define the behaviour. The principles, give a thread and a common theme for the decision relative to Cloud, providing a compass to the accountable people of all levels of the organization. Standard ISO 38500 Corporate Governance of Information Technology, as we have seen, defines six fundamental principles: responsibility, strategy, acquisition, performance, conformance, human behaviour. These principles are the best practices internationally recognized and they should be the constituent basis during the compilation of specific cloud governance principles for each company. Criteria for building efficient principles can be different for each organization because each organization can be very different, but there are principles that every organization that use Cloud services should strongly keep in mind: compliance with policies and standard, business goals must guide the Cloud strategy, contracts between the participating entities of the Cloud ecosystem, adopt well-defined change management processes, application of monitoring processes to achieve continuous improvement.

Compliance with policies and standard

Cloud standards should be open, consistent and complementary to the main sector standard and adopted from the big company. The Cloud ecosystem has a broad range of services partners and suppliers. If you look at https://landscape.cncf.io you can have an idea of the vast range. The compliance to standards and policies ensure a consistent approach, integrated and complete in the ecosystem for preventing, mitigate and dealing with a specific risk of cloud solutions (including security, business continuity, etc…). Using open standard give a great benefit in term of interoperability, often a fundamental need in a Cloud environment. This also allows to don’t lock with one single provider but they give the freedom to migrate or combine different providers.

Business goals must guide the Cloud strategy

Cloud strategy should be integrated with organization and global IT strategy. Cloud enable a broad range of features to grow a company in an agile, flexible and cheap way. Thus, both business and IT objectives should drive the cloud transformation and be part of one global strategy.

Contracts between the participating entities of the Cloud ecosystem

A clear ruleset of policies and agreements that define the interaction between the stakeholders is essential for guaranteeing a healthy coexistence in the Cloud ecosystem.

The cloud ecosystem includes both external that internal stakeholders of the organization. Contracts provide clarity, responsibility, authority among stakeholders. So, it’s essential to have a work agreement among them. Fundamental is the service level agreement (SLA) for efficient use of the Cloud, especially for the high financial or another kind of impact and for this reason, should be formally declared.

Adopt well-defined change management processes

Change should be practised and applied consistently and standardized on all components of the company’s cloud ecosystem.

A Cloud ecosystem is composed of a vast component‘s network interconnected in which a single change to one of them can have an impact on all systems. This type of ecosystem needs a coherent operation model to better adapt to a different perspective. The lack of a well-defined change management process can compromise the end-to-end interoperability of the cloud ecosystem because of interruption derivated from unwanted change.

Application of monitoring processes to achieve continuous improvement

The cloud governance process must monitor events and key factors that can be determined by continuous improvement. Companies are always changing because of the market demand and by the evolution of company targets. Therefore, the Cloud computing process will always need continuous change for aligning to them.

Conclusion

Principles are fundamentals for all kinds of governance, not only for the Cloud. Principles can be different from company to company, and it’s fine, but the lack of any principles it’s not.

References

ISO/IEC 17788:2014: Information Technology – Cloud Computing – Overview and Vocabulary; (www.iso.org/iso/catalogue_detail?csnumber=605455)
ISO/IEC 17789:2014: Information Technology – Cloud Computing – Reference Architecture; (www.iso.org/iso/catalogue_detail?csnumber=60545)
National Institute of Standards and Technology (Special Publication 500‐291)
The Open Group (http://www.opengroup.org)
Fulton, Lita. Cloud Governance and Management Made Simple: Practical Step-by-Step Guide for Small and Mid-Sized Organizations