The State of Cloud Part 2: Governance

This article is part 2 of a new series on cloud computing.

Governance is a must, not an option

When moving to a cloud environment, whether you manage your own cloud environment or use a cloud-service provider, there should be no difference between your IT management of your existing SLAs and associated systems. If anything, you should expect more from a cloud service provider, then what you may have already implemented in-house.

For example, imagine you have applied discipline to the management team of what was once a loose process consisting of one meeting a year, which usually resulted in priorities shifting based on squeaky wheels. You now run quarterly cross-functional meetings to review requirements and are holding to the priorities. In accordance with this, you are establishing a project management office (PMO). Your intent is to make the PMO not overly burdensome. Is the PMO standing on its own to help execute the individual projects on a transaction-by-transaction basis or squeaky wheel basis? Is the portfolio aligned to the business strategy? Who in the organization is ensuring the “right” technology and architecture for what the business needs? A solid PMO is a good part of the puzzle and needed for project (and larger program level) governance and execution, but without a mature enterprise-architecture function in the organization, are they the right projects? Are they ensuring the organization is making the right choices for technology to meet the business drivers and requirements, while ensuring technical risk is mitigated and stability is maintained or improved?

As part of this scenario, imagine you have many large-scale infrastructure transformation initiatives planned and some are in flight, so having a PMO to govern and manage them is a good thing. You have a roadmap to transform your infrastructure with a “rolling thunder” approach that will take at least three years and cost about $30 million. Your CFO and board are already aware and support it (even though your board may not know what the core technology is, and how it will solve the most pressing issues for the business and by when).

The strategic steps you have in mind include assessing the current state, developing the future vision (leveraging cloud and new technologies), developing the roadmap to achieve the vision, and executing. Today you are in the process of assessing your infrastructure, as a starting point. In developing your future vision you have a number of items that are known considerations, in-flight initiatives, and challenges you are facing – your enterprise requirements. They include the following hypothetical activities:

• June 2016 is a milestone month. Your Enterprise Microsoft contract is up for renewal.
• You plan to upgrade to JDE EnterpriseOne (your options in this regard are limited).
• As has been planned, your JDEOne ERP implementation is likely to start.
• As you look at renewal options you are considering migrating to Microsoft Office 365, to potentially reduce costs and administrative burden. This analysis should also start to consider integration of other capabilities from Microsoft SharePoint for collaboration, Microsoft Dynamics as a potential alternative for JDEOne, and as you are growing your B2B model and business you are possibly considering a CRM solution, which Dynamics provides as well, vs what you may have in house today.
• Another potential integrated solution to investigate is Microsoft Azure. You may be able to further reduce application licensing and administrative burden, and reduce risks by going with a hosted Microsoft cloud offering through Azure.
• Then, you start thinking. Today you are generally on-prem for about 50 enterprise applications. Should this be moved to co-lo or cloud? A benefit of moving away from on-prem will enable you to have resources focused on core activities. But what applications and workloads should be moved and can be moved? What are the risks?
• Given the intended moves to MS and the JDE ERP installation you should be able to consolidate applications that will reduce resource requirements.
• You are a VMware shop and are your IT staff is very comfortable with this. There is no issue here or compelling reason to change this.
• Then as you get further into the analysis, you realize that moving applications into the cloud has network implications that need to be considered. Have you planned for this?
• You also have apps that hold core systems of record in your datacenter on legacy systems (e.g. AS/400), that may not be the best candidates to re-platform (for interoperability reasons) or move off-premise (due to data privacy issues).
• You’ve given a large portion of the responsibility for addressing and solving the above challenges to your IT operations manager, while maintaining, running, and operating your existing daily demands on IT.
• You have heard (rightly or wrongly) that the cloud can be your saving grace to solve these challenges.
• Your expectations for taking advantage of the cloud for the future minimally include lower HW investment, lower staffing requirements, and more flexibility and scale.

To further complicate the above, you may now also have existing applications or systems that are undergoing or in need of overhaul because they are not yet ready to meet new regulatory mandates. Your data may be at risk of exposure or not properly protected.

The above is a typical example of what all organizations are facing today. The challenges and obstacles are oriented on people, process, and technology. Introducing what can be perceived as disruptive technology can create additional obstructions for the business and your IT staff.

Before moving workloads to a vendor-hosted cloud, you need evidence that the vendor is already meeting regulatory standards (e.g., HIPAA, PCI-DSS, FedRAMP, FISMA) for organiations similar to yours.

As data proliferates, there is increasing improvement to standards that deal specifically with governance and management of data and information security, including the identification of risks and the implementation of security controls to address these risks. The ISO/IEC 27000-series is the most widely recognized and applied set of standards relating to the security of ICT systems.

The core standards are 27001 and 27002, with 27001 containing the requirements related to an information security management system, and 27002 describing a series of controls that address specific aspects of the information-security management system.

ISO 27001 is an advisory standard that is meant to be interpreted and applied to all types and sizes of organizations, according to the particular information security risks they face. In practice, this flexibility gives users a lot of latitude to adopt the detailed information-security controls that make sense to them, but can make compliance testing more complex than some other formal certification schemes.

ISO 27002 is a collection of security controls (often referred to as best practices) that are used as a security standard. Assuming that the design and/or operation of a cloud service provider’s information security management systems are consistent with the standard (e.g., there are no notable gaps) it can be asserted that their environment is compliant with the standard.

The 27001 and 27002 standards apply generally to the operation of ICT systems. ISO 27017 and ISO 27018 are two new standards under development that describe the application of 27002 to cloud computing. ISO 27017 deals with the application of the ISO 27002 specification to the use of cloud services and to the provision of cloud services. ISO 27018 deals with the application of 27002 to the handling of personally identifiable information (PII) in cloud computing, sometimes described as dealing with privacy in cloud computing.

At a minimum, cloud-service customers are advised to look for providers that conform to the ISO 27002 standard for information systems security. This is not necessarily specific to cloud computing, but the principles can still be usefully applied to the provision of cloud services (i.e, as a measure of maturity and as a necessary safeguard of doing “the right things” in an IT organization). A cloud-service provider can assert on its own behalf as to its compliance with a standard, but having an independent/qualified third-party certify compliance is a notably stronger form of attestation.

In addition, customers are advised to check whether their cloud-service provider conforms to ISO 27017 and ISO 27018, standards, since they are specific to cloud computing for information security and for the handling of PII, respectively.

WGroup is your preferred and chosen advisory partner to ensure that effective governance, risk, and compliance processes exist. If they don’t, we’ll show you how to implement and deploy them. However, this is just the first step. We are here to help you through the analysis of choices and architectural decisions you will need to make, with critical input from your team. We’ll help you adapt the leading and best practices implemented by those who have made this journey.

WGroup’s vision and capabilities align with the Cloud Standards Customer Council’s 10 steps to help your organization ensure success for secure cloud computing.

Taking a holistic approach to your challenges and in-flight initiatives, WGroup develops a strategy with you and your team. We meet your most pressing needs, but also align these to next steps in meeting your business strategy. In the most cost-effective and safest approach possible, we bring higher standards to your organization through service-provider capabilities and management.

Are you looking for expert assistance in driving your cloud strategy to higher levels? WGroup’s cloud strategy consulting services could be exactly what you need. Click here to learn more.