Cloud DB System

Unit 13

Unit 13

Cloud Governance

Structure:
13.1 Introduction
Objectives
13.2 IT Governance
13.3 Deciding the Governor
13.4 Risk Assessment of Running the Cloud
Understanding the possible risks
Performance monitoring and measurement
Measurement methods
13.5 Working of Governance
Establishment of the governance body
IT service performance monitoring
Cataloging control and compliance data
13.6 Summary
13.7 Terminal Questions
14.8 Answers

13.1 Introduction
When your organization or an individual decides to move the data to the
cloud, the person can be relaxed based on the nature of the data that he is
transferring to the cloud. The mail box data or the archived data can be
handed over to the cloud though this he can relax from the responsibility of
the managing the same. Whereas if an organization is going to hand over
their asset data to the cloud provider, still the person in also responsible to
maintain the datas safety and security. In such sensitive situation the
person or an organization who is taking the service of cloud cannot relax
from their own responsibility. In other words, make sure that your assets are
managed in a way that meets your business objectives. This is where
governance comes in. Ultimately the governance taking good decisions
pertaining to performance predictability and requiring accountability.
Regarding cloud governance an individual will have plenty of questions.
1. How the other member follow the same policies and rules of mine.
2. What will happen if he doesnt know about the policy or if he doesnt
follow same governance?

Sikkim Manipal University

Page No: 203

Cloud DB System

Unit 13

3. The percentage of trust that an individual can have on these policies.

Overall answer for the above questions is Governance is Truest.
All parties involved in the cloud you, the cloud provider, and other service
providers must be able to trust that each party will do what its supposed to
in accordance with established policies and procedures. Think about what
would happen without these policies and procedures; the cloud environment
might be lead to only confusions and disorders.
In this unit we are going to discuss IT governance, the various risk which we
have to assess while running the cloud. We are also going to explore the
working of governance which includes monitoring and measuring the
performance on regular intervals.
Objectives:
After studying this unit, you should be able to:
describe the role of IT governance
explain the factors to decide governor
explain the risk assessment of running the cloud
explain the performance monitoring and managing of cloud governance

13.2 IT Governance
Governance is all about applying policies relating to using services. Its
about defining the organizing principles and rules that determine how an
organization should behave. The word governance derives from the Latin
word for steering. It is important to have a steering process because, well,
it helps to make sure that you stay on the road before diving in, take a step
back and look at the IT governance process in general because many of the
same principles are relevant to the cloud environment. IT manages a
complex infrastructure of hardware, data, storage, and software
environments. The data center is designed to use all assets efficiently while
guaranteeing a certain service level to the customer. A data center has
teams of people responsible for managing everything from the overall
facility: workloads, hardware, data, software, and network infrastructure. In
addition to the data center itself, your organization may have remote
facilities with technology that depends on the data center. IT management

Sikkim Manipal University

Page No: 204

Cloud DB System

Unit 13

has long established processes for managing and monitoring individual IT

components, which is good. IT governance does the following:
Ensures that IT assets are implemented and used according to
approved upon policies and procedures.
Ensures that these assets are appropriately controlled and maintained.
Ensures that these assets are providing value to the organization.
IT governance, therefore, has to include the techniques and policies that
measure and control how systems are managed. However, IT doesnt stand
alone in the governance process. In order for governance to be effective, it
needs to be holistic. It is as much about organizational issues and how
people work together to achieve business goals as it is about any
technology. Therefore, the best kind of governance occurs when IT and the
business are working together.
Governance defines who is responsible for what and who is allowed to take
action to fix whatever needs fixing. Governance also sets down what
policies people are responsible for. It puts in place means to determine
whether the responsible person or group has, in fact, acted responsibly and
done the right thing. Critical part of governance is establishing
organizational relationships between business and IT, as well as defining
how people will work together across organizational boundaries.
IT governance usually involves establishing a board made up of business
and IT representatives. The board creates rules and processes that the
organization must follow to ensure that policies are being met. This might
include
Understanding business issues such as regulatory requirements or
funding for development
Establishing best practices and monitoring these processes
Responsibility for things like programming standards, proper design,
reviewing, certifying, and monitoring applications from a technical
perspective, and so on
A simple example of IT governance in action is making sure that IT is
meeting its obligations in terms of computing uptime. This uptime obligation
is negotiated between the business and IT, based on the criticality of the
application to the business.
Sikkim Manipal University

Page No: 205

Cloud DB System

Unit 13

IT governance is defined as structure around how organizations align IT

strategy with business strategy, ensuring that companies stay on track to
achieve their strategies and goals, and implementing good ways to measure
ITs performance. The structure design need to make sure that all the
stakeholders ideas and interest are been considered. Also it should make
sure that the processes will support the measurable output. IT governance
is responsible for answering the following important questions towards the
organization.
The performance and functioning of the IT department as a whole.
What are the key metrics that the organization needs to have?
What is the return that the business gets back at the end of the process?
The proportion calculation of investment and the gain from the process
Benefits of IT governance
Transparency and Accountability
There is a transparency in IT process, portfolio and the cost incurred for
the process. This accounts calculation is included the various services
and the projects of IT governance.
Able to get clear clarity on decision making accountabilities and provides
the relationship between the service provider and the user.
Return on Investment/Stakeholder Value
Clarity and clear understanding about the overall IT costs
Able to focus the cost-cutting with an ability to reason for investment.
IT risk/returns can be viewed by the stakeholders of the system
Better development towards the contribution to stakeholder returns.
Opportunities and Partnerships
It gives insight towards the process that may not get sponsorship and
attention. Basically an idea about the non-priority process
Positioning of IT as a business
Enable to have business with other companies.
Enables more professional and business relationships with various
partners including suppliers and vendors.
Supports to make consistent and strong approach towards risk taking.
Facilitate to make strategic decisions towards IT participation in
business that may reflect in IT strategy and vice versa.
Sikkim Manipal University

Page No: 206

Cloud DB System

Unit 13

Able to face the business opportunities and. market challenges in a

better way.

Performance Improvement
Able to get clarity of whether an IT service or project supports business
as usual or is intended to provide future added value.
Increased transparency will raise the bar for performance, and advertise
that the bar should be continuously raised.
A focus on performance improvement will lead to attainment of best
practices.
Avoid unnecessary expenditures expenditures are demonstrably
matched to business goals.
Increase ability to benchmark.
External Compliance
Supports with an integrated approach to meet external legal and
regulatory requirements.
Self Assessment Questions
1. _______________________ is all about applying policies relating to
using services.
2. Improved contribution to stakeholder returns considered as one of the
benefit of IT governance. State [True/False]
3. __________________ enables an integrated approach to meet
external legal and regulatory requirements.

13.3 Deciding the Governor

In cloud governance the responsibility is equally shared between the cloud
providers and the cloud users. It is little difficult to define the governance for
an organization. Because it requires keen attention towards the
understanding the boundary line of the business and then defines the
suitable strategy towards the governance. You must consider many factors,
ranging from the performance levels of the IT environments components to
the key performance indicators (KPIs), which measure the effectiveness of a
business process of your business.
The organizations strategy should reflect combined services that are
provided by the local data center and also the public and private clouds.
Sikkim Manipal University

Page No: 207

Cloud DB System

Unit 13

Cloud governance basically covers both the data centers that are governed
by the organization and the cloud support that are not under the control of
organization. For example, your organizations must monitor performance
across all components in a way that reflects the overall impact of all IT
performance on the business. You may not have as much insight into the
cloud environment, which could create challenges when you need to satisfy
governance requirements. Here are two examples of how governance may
become more complicated when you add cloud services into your IT
environment.
First scenario
The organization may move few of their storage and processing to the cloud
platform. He may expect the similar processing time that you realized from
the earlier local data center. Here you will be depending on the virtualized
server supported by the cloud vendors. There may be chances that the user
may not have the good understanding about the environment where and
how the processing is happening.
Following are the points need to be taken care from perspective of cloud
governance
Is it possible to expect the same availability policy with the cloud
provider also?
Whether the cloud provider have the monitoring mechanism that allow
the user to verify expected target is been achieved?
Your cloud provider may be meeting predefined service levels, but will
the provider communicate this information to you?
Second scenario
In this scenario the consumer wanted to create a new application in the
cloud platform. For this action he may require some set of supportive
services from the vendor. The user may decide to the develop application
environment around with the same set of services. You can see the below
listed are the challenging issues needs to be addressed.
Does your cloud provider have a service registry or catalog that enables
you to have good visibility into the management and availability of
services?
Whether the service catalog will have the set of services that you
require?
Sikkim Manipal University

Page No: 208

Cloud DB System

Unit 13

Will all the services in the catalogue will be readily available when ever
require?
Does your cloud provider have a policy for enforcing the service you
want to be maintained and available in the service catalog?

Self Assessment Questions

4. Cloud governance is a shared responsibility between ______________
and the _______________.
5. KPI stands for ________________________.

13.4 Risk Assessment of Running the Cloud

IT governance is structured to cover the business policies and goals. Also it
makes sure that all the services are available at the optimized level as per
the customer satisfaction. As per our earlier discussion, governance is
created by keeping both the business goals and IT aspects together. We
also think it is important for you to look at cloud governance from a holistic
business perspective.
Any organizational governance strategy needs to be supported in two key
ways:

Understanding the compliance and risk measures the business must

follow: What does your business require to meet IT, corporate, industry,
and government requirements? For example, can your business share
data across country lines? These requirements would need to be
supported through technical controls; automation and strict governance
of processes, data, and workflows.

Understanding the performance goals of the business: You may

measure your business performance in terms of sales revenue,
profitability, stock price, quality of product or service provided, and time
to delivery. Your cloud provider must be able to support service delivery
to optimize business performance.

13.4.1 Understanding the possible risks

All the organization will have the set of governance principles based on their
environment and as recommended by the regulatory. This governance also
focuses the view of risk. There are different levels of risk. For example, in
certain companies, information cannot be shared across international
boundaries. In financial services, certain data practices need to be followed.
Sikkim Manipal University

Page No: 209

Cloud DB System

Unit 13

In software development, there are risks associated with getting the product
out in the market on time. The healthcare industry has patient privacy
concerns. For example, suppose you have a corporate policy that states
that no data from a credit card system can be used by the companys
marketing analysis systems. If the CIO later discovers that this information
has been used by the system, the business is put at risk and IT governance
has failed. Others besides the CIO needed to know that this information was
not to be used by marketing because of privacy concerns.
Realizing IT risk
As we know the IT environment is now dealing with the heterogeneous
groups of services. Obviously it needs to face the more amounts of risk and
struggle to work with multiple tasks. These tasks includes
Satisfying the expectation of customer
Realizing the constraints of resources,
Business goal optimization
Adhering of requirements and rules
When you merge your system with the cloud platform service the system
needs to face further complications since cloud is a yet another resources
needs to be managed by the IT. This shows that the governing body should
take the responsibility to monitor the provider relationship. Of course, the
level of involvement and risk around governance might vary with how your
organization is using the cloud. For example, the cloud can be used in the
following ways, each of which you must evaluate separately to determine
the level of governance that your company feels comfortable with:
For temporary computing power
As a SaaS model
As a platform to build a service
Risk list
Consider these risks as you move into the cloud:

Audit and compliance risks including issues that arise around data
access control, data jurisdiction, and maintaining an audit trail.

Security risks majorly focusing around the data about its confidentiality,
integrity and its privacy.

Sikkim Manipal University

Page No: 210

Cloud DB System

Unit 13

Information risks, this risk is pertaining to maintaining the protection

towards the sensitive and the intellectual property.

Performance and availability risks, including availability and performance

levels that your business requires for successful operation. This includes
alerts, notifications, and provider business continuity plans.

Interoperability risks, it is associated with developing a service that might

be composed of multiple services. Will the infrastructure continue
supporting your service? What if one of the services that youre using
changes? What policies are in place to ensure that youll be notified of a
change?

Contract risks are associated with not reading between the lines of your
contract. For example, who owns your data in the cloud? If the service
goes down, how will you be compensated? What happens if the provider
goes out of business?

Billing risks are associated with ensuring that youre billed correctly and
only for the resources you consume.

I would like to recollect the statement that we stated in the introductory part
of this unit, Governance was all about trust. But here the customer needs
to trust the cloud provider also the vendors and other providers that he is
dealing with. Still now there are no standards or laws are generated for the
cloud computing technology. Managing risk cant be emphasized enough;
unlike internal IT governance where all parties work for the same legal
entity, the cloud relationship is with an external provider and governance
agreements need to be contractually stated.
13.4.2 Performance monitoring and measurement
Tool for measuring performance becomes the very important and vital role
for any organization. This helps to measure the process effectiveness,
provides information about how effectively the process activities and their
outputs generated towards the organization goal. This measurement also
indicates the efficiency of the people those who are working on the process
and their roles in the specific task. The performance report gives an insight
to the organization work pattern like, strategic decisions made from top to
lower levels and end process result from lower to upper end and the overall
control monitoring mechanism in the organization etc.
Sikkim Manipal University

Page No: 211

Cloud DB System

Unit 13

With the consistent move and positive sign of the effective monitoring
mechanism, it is possible to implement policies, succeeding the goals thus
can improve over all status of the organization.
Following are the points identified that the effective IT performance
measurement system should support us to do
Attention towards the user in order to improve their satisfaction.
Support with preventive mechanism to avoid and protect the process
from the anticipated problems.
Help to understand to reduce the costs
Encourage and facilitate change by obtaining facts about current state,
desired state and the gap that needs to be met
Set realistic benchmarks for comparison
13.4.3 Measurement methods
Generally measurement for an organization can be executed by comparing
their sales, production, stock price and customer satisfaction with the
objective or goal of an organization. The IT performance can be calculated
by comparing server, application, service resolution time, network uptime,
budget allotted and completion date of the project with the organization goal.
These performances and other measures help an organization to selfestimate and grade with the organization that are considered as the
competitors in the market. Based on the output of these analyses the
organization can be ranked in terms of user, customer, partners, vendors
and shareholder satisfaction.
In cloud computing, you need to measure the impact of IT performance on
the business that, by definition, now includes the performance of the cloud
provider. Of course, your own internal governance committee needs to
answer the following questions to get started:

The role of organizations IT performance measures support the

business

List of parameters to measure and monitor that confirm the success of IT

governance

The response time of customers for their request

Is transaction data are safe from unauthorized access

Will organization acquire the right information at right time?

Sikkim Manipal University

Page No: 212

Cloud DB System

Unit 13

Can IT demonstrate to business management that your organization can

recover from anticipated outages without damaging customer loyalty?

Can your company monitor systems proactively so you can make repairs
before faulty services affect rules and regulations?

Can you justify your IT investments are effective?

Self Assessment Questions

6. Name the Governance strategy which needs to be supported.
7. Each industry has a set of governance principles based on its
_________________ and ___________________and its view of risk.

13.5 Working of Governance

It is believed that effective cloud management can be achieved partly
through people and processes, and partly through technology. Its really a
three-part solution.
Basically every organization should have the governance body to handle the
issues that may rise in cloud platform. It can retain a body that already
exists with the system if the management wishes. This body supports to
consist of members who are involved and around the business those who
are having insight towards the organization objectives. These bodies needs
to be trained to handle the expected and unexpected problems, which the
business may encounter in this platform. The main objective of this body is
to develop best practices to manage cloud environment effectively.
On the other hand the cloud also needs governance body to handle with the
standardization of services and the other issues that may rise in
infrastructure.

The cloud provider should have the concern of having governance body
that may take care of infrastructure issues, may rise due to sharing of
resources also the standardization services. From the organization side
there should be an interface to connect with this group. The level of
involvement needs to be balanced on both the side to maintain the
standards.

Also from the organization end there should the strong technological
support to monitor the performance of the cloud providers service.

Sikkim Manipal University

Page No: 213

Cloud DB System

Unit 13

13.5.1 Establishment of the governance body

You need your own group of people who understand your business to deal
with the business of the cloud. The board of governance consists of people
from the concerned department, corporate, industry expert and IT
management to help encourage communication the kind necessary to link IT
management and the business. These boards will also other sub groups
that support the various supportive aspects and activities of the body. For
example, it might create a group that needs to understand cloud standards,
or it may leverage an IT security group. Of course, an important part of this
governance structure will be a group of individuals who actually deal with
the cloud providers to negotiate terms and conditions and to be the point
group for managing the cloud provider(s). This governing body should be
ongoing, with authority across the enterprise and with a mechanism for
communicating business objectives and changes to IT management. Ideally,
it will have executive-level endorsement to make its job easier.
13.5.2 IT service performance monitoring
Apart from the regular monitoring of the services of the cloud providers an
organization should also needs to know what the cloud providers are
doing. This monitoring mechanism helps to decide and invest more on the
cloud operations. Most of the companies use their Dashboard as the
interface to communicate their services across and as well as the same is
used as the monitoring mechanism tool to measure whether the
organization is working towards the goal. This dashboard also needs to
include information from the cloud. Quite a few emerging vendors provide
tools that enable companies to monitor their cloud providers. Monitoring can
help answer questions like these:
What are we aiming for?
What are our KPIs?
How are we performing according to our established KPIs?
How does our performance compare with last weeks or last years?
Are rules and processes implemented correctly?
Does each service meet technical standards?

Sikkim Manipal University

Page No: 214

Cloud DB System

Unit 13

13.5.3 Cataloging control and compliance data

Many organizations use a service catalog as a record of IT services. This
should be extended to the cloud. The catalog can include information such
as
Whom to contact about a service
Who has authority to change the service
Which critical applications are related to the service
Outages or other incidents related to the service
Information about the relationships among services
Documentation of all agreements between IT and the customer/service
user
Self Assessment Questions
8. Many organizations use a ________________ as a record of IT
services.
9. The cloud needs governance bodies that deal with standardization of
services and other shared infrastructure issues. State [True/False].

13.6 Summary

Instead of viewing cloud computing as risky, it can be seen as an

important reminder of the need for IT to create a strong customerrelationship focused organization.

IT governance is about applying policies relating to using services. Its

about defining the organizing principles and rules that determine how an
organization should behave.

Cloud governance is a shared responsibility between the user of cloud

services and the cloud provider.

Your governance strategy needs to be supported in two key ways, like

understanding the compliance and risks also the performance towards
the goals of the business.

Effective cloud management can be achieved partly through people and

processes, and partly through technology.

In addition to interacting with your cloud providers, you must also

monitor what these cloud providers are doing on a regular basis.

Sikkim Manipal University

Page No: 215

Cloud DB System

Unit 13

13.7 Terminal Questions

1.
2.
3.
4.
5.

Explain the role of IT governance.

Explain the benefits of IT governance.
Discuss on the concept of Deciding the governor.
Discuss the risk assessment of running the cloud.
Explain the concept involved in effective cloud management.

13.8 Answers
Self Assessment Questions
1. Governance
2. True
3. External compliance
4. user of cloud services and cloud provider
5. Key Performance Indicators.
6. Understanding the compliance, Understanding the performance goals
7. regulatory and competitive environment
8. service catalog
9. True
Terminal Questions
1. The word governance derives from the Latin word for steering. It is
important to have a steering process. For more details refer
section 13.2.
2. Transparency, accountability, return on investment and stockholder
value opportunities etc are the few benefits of IT governance. For more
details refer section 13.2.
3. Cloud governance is a shared responsibility between the user of cloud
services and the cloud provider. For more details refer section 13.3.
4. IT and business goals are tightly coupled in a governance strategy, it is
also important for you to look at cloud governance from a holistic
business. For more details refer section 13.4.
5. It is believed that effective cloud management can be achieved partly
through people and processes, and partly through technology. For more
details refer section 13.5.

Sikkim Manipal University

Page No: 216

Cloud DB System

Unit 13

E-References:
http://www.ucisa.ac.uk/~/media/Files/events/ucisa2011/presentations/
richard_eade
http://www.accenture.com/us-en/blogs/accenture-blog-for-internalit/archive/2011/12/12/managing-the-cloud-with-it-governance.aspx
http://www.isaca.org/Certification/CGEIT-Certified-in-the-Governance-ofEnterprise-IT/Prepare-for-the-Exam/Study-Materials/Documents/
Developing-a-Successful-Governance-Strategy.pdf

Sikkim Manipal University

Page No: 217