Cloud Governance Best Practices & How “Legacy Governance” Hurts

Cloud Governance Best Practices

The cloud can provide your organization with substantial benefits — if you adopt an effective cloud governance model. Businesses established before the cloud era (or those that took their IT governance cues from that time) struggle the most with the square-peg-round-hole problem that attempting to use a legacy model with cloud creates.

It’s true that businesses have historically benefited from centralized IT control and decision-making. That governance model helped to ensure that IT investments aligned with strategic goals. It also usually saved money. Companies could negotiate discounts for buying in bulk, standardize hardware solutions across their organizations to save maintenance and service costs and make vendor management easier.

Business Security Audit

The controls that legacy IT governance established, although slow by cloud-era standards, were also often the quickest way to get things done. When teams needed new infrastructure, everyone understood the drill, and the benefits they’d receive from the new system far outweighed the time and patience required to purchase and implement it. It was just another cost of doing business.

Purchasing Cloud Should Be Purchasing Agility

Cloud computing, however, shook things up. It ushered in new ways to pay for and deploy infrastructure, services, and applications.  Engineers no longer have to wait until the CIO finds the budget for new infrastructure and schedule time and resources to implement it. Cloud empowers organizations to add solutions and services for a monthly subscription and with just a few clicks. Whether the end game is scaling, enabling innovation, or getting products to market faster, the cloud provides the agility you need.

A governance model that doesn’t take the nature of the cloud into account, maybe one that tries to hang onto legacy IT governance policies and principles, can stand in the way of those benefits, doing more harm than good. Filtering all IT decisions through an executive can bottleneck requests, tie engineers’ hands, and hinder progress. The wrong cloud governance model can even minimize ROI – your cloud investment was supposed to be an investment in agility. With legacy, IT governance policies, your organization may be no more agile than when you used on-premises infrastructure and solutions.

A legacy IT governance model could also contribute to a restrictive atmosphere, one that limits engineers’ ability to take ownership of their projects and has them questioning whether leadership trusts them to make smart decisions.

Cloud Governance, Though, Is Still Necessary

Although cloud governance requires a different approach than legacy IT governance, it doesn’t mean it’s not necessary. There are three crucial reasons you need to ensure cloud use in your organization is controlled:

  • Cloud services are easy to add and expand. Engineers or other team members purchasing cloud capacity or services need to be able to justify the decisions they’re making and be accountable for them.
  • Cloud applications and services can introduce risk. Your team must use only cloud resources that you’ve vetted and approved to prevent risks to security or noncompliance with corporate or industry regulations. Shadow IT cannot be permitted.
  • Cloud costs add up quickly. Need to manage costs and ensure that the solutions you use are providing the greatest efficiency and allow you to operate most profitably.

Cloud Governance Best Practices

Smart organizations develop a cloud governance model that balances vital controls while empowering engineers with the ability to access the capacity and tools they need to excel at their work. The basis of effective cloud governance applies these principles in three areas:


After a bill or two from your cloud provider, you will see that numerous factors can impact your invoice.  A misconfiguration can make cloud costs unintentionally escalate, or you may find an “orphaned resource” that your team is no longer utilizing, but you’re still being billed for it.

You can address cost management in a few ways. First, empower people closest to projects to make or weigh in on changes. They’ll know better than an executive whether a cloud resource is necessary or no longer needed.

Many organizations have adopted a cloud management platform with intelligent monitoring that can detect cloud usage spikes in real-time and provide the basis for root cause analysis to understand how your cloud budget is spent. The most popular tools are the native costs tools the main cloud vendors provide, like AWS Cost Explorer and Azure Cost Management.

However, these tools do not always provide the level of detail engineers require and it is worth looking into additional third-party cost optimization tools. A new disruptor to this space worth researching is Yotascale offering a drill down on costs per team and unique insight into your Kubernetes costs alongside your cloud costs.


Cloud governance must also address how your organization will manage data in the cloud. This is particularly vital if you or your clients are subject to regulations, such as the EU’s General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standards (PCI DSS), or the Health Insurance Portability and Accountability Act (HIPAA). However, all organizations should have a plan for cloud data storage to operate most efficiently.

Data management decisions you need to address include which data will be stored, how you will track data with metadata, how long data should be archived, who has access to cloud data. Make sure the policies you establish align with regulatory compliance and that you don’t cut corners that can lead to fines and harm to your reputation.


Some organizations fall into complacency about security when they move infrastructure and applications to the cloud. Although cloud providers have extremely robust security solutions to protect your resources, it may not be all you need.

Take time to sort out the security measures your cloud provider has taken and what they leave up to you. Your organization may benefit by adding additional security solutions, such as firewalls, web application firewalls, antivirus or anti-malware, email security, or other measures to prevent data loss prevention and provide defenses when human error occurs.

Other measures you can take include encrypting or tokenizing data in transit or when stored, using an identity and access management (IAM) solution to ensure only authorized people can access data, and promptly decommissioning unused resources. It’s also smart to revisit your security policies regularly and adapt them to changes in your organization or the threat landscape.

Cloud Governance & Your Company Culture

It is important that in the mission to democratize data, we also recognize that it must be accompanied by visibility for responsible oversight. With everyone within an organization aware of and following cloud governance best practices, it creates a culture of mutual trust and empowerment that will lead to the greatest productivity and innovation.

The cloud governance model you choose should enhance, not roadblock, the benefits your organization receives from the cloud, as well as help you build a company culture that supports both individual achievement and company success.

By Josh Hamilton

Mark Ardito
OPEX is the new battleground I recently wrote in CloudTweaks about how cloud is forcing CIOs to work more closely with their C-suite colleagues to sell the benefits and its role as a business driver ...
Gary Bernstein
The Dangers of Facial Recognition Technology Facial recognition technology has become increasingly prevalent in our daily lives, from unlocking our phones to boarding airplanes. While this technology may seem convenient, its implications go far beyond ...
David Discenza
Four Ways to Improve Cybersecurity (Updated: December 9th, 2022 ) Cyber-attacks on businesses have become common place. In fact, it’s estimated that a cyber-attack occurs every 39 seconds. Who are the targets of these attacks? ...
Gilad David Maayan
What is SASE (Secure Access Service Edge)? SASE (Secure Access Service Edge) is a term coined by Gartner to refer to a new architecture for networking and security that combines both functions into a single, ...
John Peluso
Save Your Organization on Cloud Costs Organizations of all sizes are currently navigating their plans to avoid the recent surge in cyber-attacks and data breaches and preparing for unforeseen setbacks. Building a sensible backup and ...
Vulnerability Scanners Cyber security vulnerabilities are a constant nuisance and it certainly doesn't help with the world in a current state of disarray and uncertainty. Vulnerabilities leave businesses and individuals subject to a wide range ...
Gilad David Maayan
What Is Cloud Deployment? Cloud deployment is the process of deploying and managing applications, services, and infrastructure in a cloud computing environment. Cloud deployment provides scalability, reliability and accessibility over the internet, and it allows ...
Mark Banfield
Implement A Seamless Customer Experience The need for digital interaction has never seemed more critical than it does today. As the coronavirus continues to spread, citizens around the world are being asked to hunker down ...