Cloud Computing Governance Framework – Introduction
Note: This Snapshot is intended to make public the direction and thinking about the path we are taking in the development of a framework for cloud computing governance. We invite your feedback and guidance. To provide feedback on this Snapshot, please send comments by email to firstname.lastname@example.org no later than December 31, 2017.
Enterprises adopting the cloud computing paradigm have to deal with opportunities and risks associated with transformative change in their operating models. A framework for effective governance is critical to ensure successful transformation and to gain better managerial control over continued operations.
Understanding key cloud computing challenges and considerations helps to explain the urgent need to apply governance during the transformation to the use of cloud computing.
The Cloud Computing Governance Framework provides a consistent set of guidelines as related to the cloud paradigm across all of the applicable business and IT areas in the extended enterprise.
This Snapshot documents a proposal for a standard Cloud Computing Governance Framework.
Today, cloud computing is driving change at several levels. At the most foundational level, cloud computing holds out the promise of more cost-effective provisioning of IT infrastructure. That is a generally expected characteristic of most, if not all, cloud computing solutions. Taking advantage of this aspect of cloud computing leads to technical, organizational, and procedural changes, and the need to be sure change leads to expected results and benefits.
In some cases, change is needed to steer an enterprise in a direction already chosen. In other cases, change is needed to choose a different direction. In either case, governance helps an enterprise make sure it is actually delivering on the intent.
As more sophisticated cloud services are envisioned and offered, additional stakeholders, expectations, and measures of success come into play. Flexibility, agility, and business competitiveness emerge as co-equal or even more compelling alongside IT economics as a rationale to adopt cloud computing. As change becomes evident more broadly across an enterprise, the range of potential risk and reward can also increase and, once again, we have the question about how to be sure change leads to expected results and benefits.
The rapid adoption of virtualization and cloud computing has altered the standard IT development and operations in data center, server landscape, and has challenged some of the non-functional requirements such as security, compliance, metering, and the chargeback model, in a manner that is not keeping pace with the complexity.
The traditional non-cloud computing governance frameworks (e.g., ITIL® v3, COBIT® 5, the TOGAF® 9.1 standard, and the SOA Governance Framework) are general and do not provide governance around systems that support cloud characteristics (e.g., elasticity). They also do not sufficiently take into account the fact that, with cloud computing, the question of division of responsibilities between user and supplier of IT services becomes completely different and very important. Cloud makes it possible to be anywhere on the scale between WHAT and HOW regarding both functionality and infrastructure. An infrastructure may be defined by the user on the basis of a script, executed by the cloud service provider. Applications may be selected by the user or pre-provided by the cloud service provider. Various levels of control may be combined in one IT landscape. This type of variability is not sufficiently supported by current frameworks and languages. There are multiple governance frameworks in existence today that address overlapping domains, some of them more geared towards IT than others. This Snapshot recognizes their differences and importance, and is holistic and vendor-neutral.
The challenges triggered by the cloud computing paradigm include the following.
- Shift from CapEx to OpEx investment models
- Need for additional management controls to address anticipated changes in delivery model(s)
- New business and IT roles required to manage risk
- Transparent consumer-provider interactions
- Gaps in coverage of architectural and technology decisions
- Inadequate support for making decisions around multi-tenancy and resource virtualization
The Cloud Computing Governance Framework defines the overarching governance processes, structures, and guidelines across all the phases of cloud-based solutions from the perspectives of key stakeholders such as the consumer, provider, and developer.
Businesses often embark on cloud initiatives without being properly prepared for the complexity. The success rate of cloud projects is significantly impacted if governance processes do not directly address cloud characteristics. The Open Group Cloud Computing Governance Framework recognizes the shift to business-led IT strategies. It allows enterprises to maintain control over an increasingly complex and integrated cloud ecosystem of service providers and solutions across the extended enterprise.
This is a Snapshot, not an approved standard. Do not specify or claim conformance to it.
The following standards contain provisions which, through references in this Snapshot, constitute provisions of the Cloud Computing Governance Framework. At the time of publication, the editions indicated were valid. All standards are subject to revision, and parties to agreements based on this Snapshot are encouraged to investigate the possibility of applying the most recent editions of the standards listed below. Members of IEC and ISO maintain registers of currently valid International Standards.
- ISO/IEC 17788:2014: Information Technology – Cloud Computing – Overview and Vocabulary; refer to: www.iso.org/iso/catalogue_detail?csnumber=605455.
- ISO/IEC 17789:2014: Information Technology – Cloud Computing – Reference Architecture; refer to: www.iso.org/iso/catalogue_detail?csnumber=60545.
For the purposes of this Snapshot, the following terminology definitions apply:
|Can||Describes a possible feature or behavior available to the user or application.|
|May||Describes a feature or behavior that is optional. To avoid ambiguity, the opposite of “may” is expressed as “need not”, instead of “may not”.|
|Shall||Describes a feature or behavior that is a requirement. To avoid ambiguity, do not use “must” as an alternative to “shall”.|
|Shall not||Describes a feature or behavior that is an absolute prohibition.|
|Should||Describes a feature or behavior that is recommended but not required.|
|Will||Same meaning as “shall”; “shall” is the preferred term.|
No specific areas for change or development are identified at this time.