Cloud Computing Governance Framework – Cloud Computing Challenges(Informative)
Cloud computing offers a different paradigm for the IT operations model as well as a business growth vehicle. It transforms the traditional IT roles and has emerged as an important solution offering enterprises a potentially cost-effective model to ease their computing needs and accomplish business objectives. In a cloud environment, there is a principal-agent relationship: the cloud service consumer is the principal and the cloud service provider is the agent. When operational control is released from the principal and delegated to the agent (e.g., outsourced), a mechanism is required to minimize risks and costs. This shift of expectations and responsibilities presents a challenge that governance can help mitigate. The interests of a cloud service consumer and cloud service provider might initially differ, but need to be harmonized around the core objectives of reducing cost, supporting multi-tenancy, security, and many other factors.
As cloud service consumers continue their transitions to cloud computing, key challenges and considerations fall into the following broad categories which become more prominent with cloud computing when compared to a non-cloud world.
Topology
Cloud computing has led to a shift from isolated dedicated IT scenarios to scenarios that involve far more collaboration and cooperation among an assembled set of components and services, potentially provided by multiple internal and external cloud service providers. That in turn has led to business and IT topologies that may be, and often are, distributed across multiple domains delineated by boundaries including architectural, design, geographical, cross-organizational, corporate, and governmental. As a result, governance aspects of a cloud topology are also more distributed.
This high degree of distribution requires a proactive approach to understand, delegate, and govern the associated authority, responsibility, and accountability. The degree of success with this distribution is directly related to the ability to establish what may be entirely new trusted relationships to support seamless coexistence, integration, and operation of cloud computing across these boundaries. These trusted relationships are essential to establish, maintain, and verify the underlying shared policies and standards required to support seamless operation of on-premise and off-premise enterprise and cloud technology and services.
In some scenarios a cloud service consumer or enterprise may not know the physical location of a server used to store and process its data and applications. Regardless of whether data is in flight or at rest, physical location and transit between locations could potentially have an impact on the ability to meet enterprise policies and requirements, which in turn could be influenced by other spheres of governance including governmental statutes and regulations. Since these policies and requirements could vary from location to location and are established and applied by multiple entities, a critical issue for data governance, and as a result also for cloud governance, is addressing the question of how to ensure at least a minimal but sufficient level of consistency across this dramatically expanding landscape.
In addition to the issues surrounding physical location, cloud scenarios that involve multi-tenancy also raise new data protection issues. Personally Identifiable Information (PII) typically requires imposing limitations on use and accessibility, based on policies, applicable regulations, and laws. Storing information securely and permitting access only by authorized users requires appropriate controls, which can be more challenging when data is stored within a cloud service provider’s infrastructure and not within the direct control of the data-owning organization.
In addition, cloud computing can accelerate the use of mobile/social solutions and big data, with an accompanying explosion in volume, velocity, variety, new data sources and ownership, and the need to ensure data veracity, further increasing the stakes related to the location and governance of computing and data.
Potential differences in the integrity of components offered by cloud service providers increase the challenge of ensuring that the end-to-end integrity and security of a solution is not compromised by weak links. A robust cloud governance framework that integrates and interlocks enterprise policies and standards with cloud service providers is essential to establishing, verifying, and maintaining a viable level of end-to-end consistency, reliability, and security across the distributed cloud ecosystem.
Compliance
Compliance refers to an organization’s responsibility to operate in agreement with established laws, regulations (e.g., HIPAA), standards, and specifications. One of the most common compliance issues facing an organization is the impact of data location on the ability to ensure compliance. Use of an in-house data center physically located within a defined regulatory scope allows an organization to structure its computing environment to know in detail where data is stored and ensure that appropriate safeguards are used to protect the data in compliance with regulations. In contrast, a characteristic of many cloud computing services is that data may be stored redundantly, and may exist in multiple physical locations. Detailed information about the location of an organization’s data is potentially uncertain, could vary over time, or is possibly not even disclosed to the cloud service consumer at all. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met, and in some cases even to be sure which of potentially multiple overlapping regulatory requirements take precedence. External audits and security certifications can alleviate this issue to some extent, but they are not a panacea. Very often the violation of the compliance results in heavy fines and penalty from the government. Hence, it is important for cloud computing governance to establish proper monitoring processes and procedures to audit and verify the compliance.
Contract Management
Cloud services have both functional and non-functional characteristics. Service-Level Agreements (SLAs) between cloud consumers and providers must fully address both. Cloud computing governance must ensure that procedures exist and are consistently used to properly define contracts and SLAs, to verify that a candidate cloud service provider is able to meet the terms of the SLAs before subscribing to their cloud service, to ensure continued ongoing compliance over time, and to carry out remediation to correct out of compliance scenarios in a timely and verifiable manner.
Security and privacy is often a top non-functional requirement for cloud-based solutions, in large part due to cloud topologies that distribute data and function across a dispersed decentralized computing landscape. It is therefore essential that privacy issues are adequately addressed in cloud contracts and SLAs. If that cannot be achieved with a high degree of confidence and certainty, potential cloud service consumers should consider other means of achieving their goals, including seeking a different cloud service provider, or modifying the architecture of a solution to avoid putting sensitive data into an external cloud computing environment that is not directly governed by the cloud service consumer.
Those in an organization who have responsibility for controlling security and access to PII need to raise awareness within their organization of the changes cloud computing drives. Their responsibilities now expand to include ensuring that cloud service providers adhere to expected security and privacy policies. Cloud computing governance has an ongoing obligation to make sure that cloud service providers maintain compliance with its policies as expressed in SLAs. This includes ensuring the existence and use of an audit program covering all aspects of SLAs, including security and privacy policies, as well as the existence and use of procedures and methods to carry out and verify that corrective actions take place to maintain compliance with those SLAs.
Organizational Change
Cloud computing can drive organizational change in several areas. New roles and skill requirements are likely to emerge during a transformation to the cloud, and automation associated with cloud computing could raise questions about whether certain existing roles and resources continue to be necessary. Does an organization have the requisite skills? Are those skills available in the marketplace? Will people in existing roles be able to take on new roles and skills? Do we still need the existing skills for the ongoing sustenance of the solution in the cloud? Can the existing organization structures effectively drive the continued evolution to the cloud across the enterprise? These questions highlight the importance of assessing and addressing the impact of organizational change as a Critical Success Factor (CSF) in a cloud computing transformation.
Governance can mitigate this impact by ensuring organizational decisions are made within an appropriate framework while fully accounting for the core principles along with timely, effective communication about these changes.