A Blueprint and Best Practices for Government Cloud Governance

Cloud governance shouldn’t be an afterthought. Indeed, it should be a foundational element of any cloud security strategy. Why? Because the cloud is enormous – it’s software, hardware, developer tools and platforms, and more. All delivered by a host of vendors.

As they transition to the cloud, government agencies need a pervasive governance program to respond to this broad and dynamic landscape. Without it they struggle to control costs, reduce human errors, rein in unnecessary spending, and protect data. The cloud also introduces third-party risk. As the threat surface increases, agencies need a formalized set of controls and processes to manage and mitigate that risk.

The challenge for the government is that cloud governance has traditionally slowed procurement processes and approvals. Agencies need a cloud governance framework that puts guardrails in place for those who use the cloud without impeding speed or other cloud benefits.

To help agencies achieve this, Forrester has outlined best practices around the who, what, where, and how of cloud governance.

The “who” includes internal stakeholders who should be 10-15% dedicated to maintaining a cloud governance process. These include cloud architects, IT security, network operations, compliance officers, IT operations, developers, and DevOps. It’s too much to get into here, but the report explains the reasons why these parties should care about cloud governance.

Next, the “what.” Agencies need to clearly define the scope of cloud governance, meaning define the cloud areas and processes that cloud governance covers. These include cost optimization, budgets, and billing integration; regulatory compliance; cloud migrations and enablement; onboarding, permissions, and access; threat detection and prevention.

The “where” addresses governance models for different cloud technologies and deployment models.
“The best way to kick off a governance practice is to map cloud usage to the four classic variations of cloud technologies and deployment models and build out the added complexity of your usage from there,” explains Forrester. Analysts suggest that agencies start with the following cloud target areas and customize from there: private cloud, IaaS, PaaS, and SaaS.

Finally, the “how.” This is about connecting the dots of the why, what, and where. Forrester recommends that agencies create a RASCI chart to map out their cloud practice to stakeholders to ensure a repeatable process and ensure a higher-efficiency cloud governance regime. They should also automate everything to help with provisioning, secure configuration, and reduce administration overhead. Education is important too. Working smarter and incorporating best practices can help close the gap between provisioning and optimization or provisioning and compliance. It also helps build the relationship between the center of excellence or ops team and business or developer customers.

Agencies should also leverage proactive and reactive approaches to cloud governance. Finally, take advice from peers to achieve best practices in cloud governance.


Related Content: Department of Defense Selects D2iQ for DevSecOps Solutions and Services