Cloud Computing Governance Framework – Cloud Computing Governance Principles


Cloud computing governance shall be based upon the principles listed below. They apply across the cloud lifecycle from cradle to grave.

Principle 1: Compliance with Policies and Standards


Compliance with Policies and Standards


Cloud standards should be open, consistent with, and complementary to standards prevalent in the industry and adopted by the enterprise.


The cloud ecosystem has a wide spectrum of supply chain partners and service providers. Compliance to standards and policies enables a consistent, integrated, and comprehensive approach across the ecosystem to anticipate, mitigate, and address risks specific to cloud solutions (including security, privacy, business continuity, etc.).

Adherence to standards enables defined principles and enforces discipline across the organization.

Open standards favor interoperability which is often an underlying requirement for a cloud environment.


Existing standards within the enterprise must be evaluated before new standards specific to cloud are considered for adoption.

Standards existing within various domains like industry, region, and government must be researched to determine their applicability to the enterprise.

Cloud standards must:

·  Be established and agreed upon at an early stage in the lifecycle

·  Comply with laws, regulations, and external policies regarding the collection, retention, and management of data with access to all stakeholders to applicable rules

·  Be specified for all the architectural layers

·  Apply to all the stakeholders within the cloud ecosystem

A viable exception appeal processes must be in place to address special circumstances.

A common reference architecture must be in place across all cloud environments to facilitate effective communication across layers.

Principle 2: Business Objectives Must Drive Cloud Strategy


Business Objectives Must Drive Cloud Strategy


Enterprise cloud strategy should be an integral part of the overall business and IT strategy driven by both the “business of the business” and the “business of IT” objectives for the enterprise.


Cloud is an enabler for a wide spectrum of capabilities that can provide a compelling proposition to empower an enterprise in an agile, flexible, and cost-effective manner. Therefore, both business and IT objectives should drive the transformation to the cloud as part of an overall enterprise strategy.


Both business and IT stakeholders must be involved from the beginning in the decisions that impact the cloud transformation strategy and implementation of specific cloud solutions.

Principle 3: Collaborative Contracts Between Citizens of the Cloud Ecosystem


Collaborative Contracts Between Citizens of the Cloud Ecosystem


A clear set of rules and agreements that define the interaction between stakeholders is essential for enabling their healthy coexistence within the cloud ecosystem.


The cloud ecosystem includes stakeholders both internal and external to the enterprise. Contracts provide clarity for the roles, responsibilities, authority, and accountability that various stakeholders have. Hence, it is essential to having a well-defined working arrangement between these stakeholders.

SLAs are fundamental to successful use of cloud, given the potential for financial or other business impacts, and therefore should be formally stated.


The governing rules must be clearly specified in a form that supports mutual understanding and agreement, and consistent use and enforcement. Depending on the governance scope that applies, this could be a Memorandum of Understanding (MoU) or SLA that is enforced within the boundary of an enterprise, or a legally binding contract that can be used and enforced across enterprise and government boundaries.

Stakeholders must represent the perspectives of:

·  Key roles like cloud service consumers, brokers, providers, integrators, developers, and auditors

·  Key business functions such as finance, legal, and supply chain

A process for resolution of disputes among cloud service providers must be in place.

Principle 4: Adherence to Change Management Processes


Adherence to Change Management Processes


Change should be exercised and enforced in a consistent and standardized manner across all the constituents in the cloud ecosystem of an enterprise.


A cloud ecosystem is made up of a wide network of inter-related components where a change to one may have a cascading effect on others. Such an ecosystem requires a cohesive operating model to accommodate the varied perspectives.

Lack of a well-defined change management process puts end-to-end interoperability of the cloud ecosystem at risk from disruptions arising from uncoordinated change activities.


Change includes the initial deployment of the cloud solution as well as its ongoing maintenance and retirement.

A federated change management process needs to be in place to coordinate change-related activities of the stakeholders in the cloud ecosystem.

A robust change management process has a positive impact on quality control and service levels.

Principle 5: Enforcement of Vitality Processes to Achieve Continuous Improvement


Enforcement of Vitality Processes to Achieve Continuous Improvement


Cloud computing governance processes must dynamically monitor events that trigger continuous improvements.


Enterprises are always subject to continuous change driven by fluctuating market demands and evolving business objectives. Cloud computing governance processes in place today are likely to need continuous adjustments to align with these changes.


Vitality applies to what is being governed as well. Continuous improvement of governance processes is most effective when the areas being governed are adaptable to changing requirements.

Implementation of proactive and reactive measures for improvements must have buy-in and support of executive leadership.

Appropriate infrastructure must be in place to effectively monitor the cloud computing governance processes.