Your cloud usage continues to grow. The types of workloads you’re migrating are trending increasingly mission-critical. Your cloud governance program must match this new reality. For this reason, along with new and developing industry regulations, growing sovereignty requirements, and a plethora of breaches/vulnerabilities, companies are revisiting or standing up cloud governance programs that have not existed in long-standing cloud programs.

The motivation for cloud governance is obvious. Implementation is much more difficult. Part of the issue: There are many paths to cloud governance. Some are just cost, basic access security, and DevOps. Other paths tie in broader operations, data management, change management, and collaboration. Even the cloud providers themselves vastly differ in scope when it comes to governance framework recommendations. Like with any enterprise process, it’s important to start with the definition. Since starting this coverage, I’ve reviewed over 100 governance strategies from enterprises across the globe. Across these companies, definitions vary widely. Since it is one of the top topics of 2024, I’ve spent the beginning of this year revamping our own cloud governance coverage — starting with the definition.

Forrester defines cloud governance as:

A set of rules, policies, and processes (implementation, enablement, and maintenance) that guides an organization’s cloud operations without breaching the parameters of risk tolerance or compliance obligations.

We developed research that manifested into three reports: Build Your Cloud Governance Framework, Assess Your Cloud Governance Maturity, and one written with my colleague Andras Cser, The Forrester Guide To Cloud Governance. In this work, the scope of cloud governance is:

    • Security: a security baseline, security toolchain options, classification of data schema, risk assessment and planning, and security policies and triggers
    • Cost: maximizing the value of cloud investments, forecasting cloud spend, leveraging automation for billing, reporting on cost and cost reduction, and enforcing cost policies
    • Identity baseline: identity authentication protocol, user/role-based permissions, designation of access groups, collaboration restrictions, identity program audits, and log activity audits
    • Resource configuration: syncing with corporate CMDB, reusable templates and blueprints, and creation and maintenance of landing zones
    • Automated DevOps governance: automated workflows (deployment and updates to infra, configs, libraries, secrets, keys, and certificates), CI/CD pipelines, and enforcing governance for build, test, release, and deployment

No matter your approach, a few truths remain:

    • Cost and security exist for almost every definition.
    • Guardrails are the goal and must walk the delicate balancing act between minimally inhibiting productivity and standardizing governance principles across functions — leaders in the DevOps world call this wide boulevards and high curbs.
    • The tired adage of alignment and exec support is still true and absolutely crucial.

If you have questions or want direction on how to set up or upgrade your cloud governance program, set up an inquiry or guidance session with me.