Does your enterprise even need a formal cloud policy?

With all the buzz on cloud migration, IT industry experts have insisted that enterprises need a corporate cloud computing policy, but is it really necessary for cloud success?  Is an explicit cloud policy essential, nice to have, or optional?

By cloud policy, I mean an enterprise-wide cloud governance statement of direction, not just a tactical IT directive or a departmental purchasing rule.  Enterprise policies typically cover business critical topics such as:

  • Product – what business do you want to be in (and not in)?
  • Personnel – rules for human resources, ethical behaviour and fairness
  • Legal – commitment to meet regulatory, compliance and government relations requirements
  • Finances – practices for accounting, use of capital and delegation of authority

Traditional IT is typically not the subject of explicit business policies.  Why does cloud computing warrant being elevated to a higher level?  The table below compares “legacy” IT to cloud-based IT, and illustrates some of the major differences.

Traditional IT Cloud-based IT
Business impact Automates systems of record; asset-based; technology-driven; business process focus Automates systems of engagement and possibly record; service-driven; shared assets; customer transaction focus
Customer Supports internal HQ and branch access; includes basic Web presence Also supports social networks and self-service transactions; supports interactive Web and mobile e-commerce
Control Owned, managed and controlled by the internal IT department Managed by the IT department with distributed external ownership, control and operation
Agility and speed Slow, evolutionary change; customized apps; proprietary technologies Agile development; rapid deployment; standard services; open technologies
Geographic reach Primarily in-house and local (e.g., bank branches, physical stores, offices) Global reach through the Web, social networks and mobile devices
Integration Vertical (all components are in-house) with some external horizontal links Hybrid internal/external solutions with distributed products and shared operations
Personnel Centralized technical staff with specialized planning, development and operations expertise Outsourced operational staff; packaged off-the-shelf services; expanded relationship management functions
Legal compliance Compliance requirements managed internally Internal and external compliance and auditing required
Financial Mixed capital and operating costs; high salary expenses; long term investments Primarily operating expenses; reduced salary expenses; resources on a pay-for-use basis
Innovation Majority of investment is to improve the status quo; innovation can be slow and costly Significantly increased agility; much lower cost for service trials; lower overhead for development and testing; new innovations are results-driven


The chart above implies that a transformation to cloud-based IT could indeed be business strategic with a requirement for overarching policies (as opposed to project-by-project business cases).

For example, strategic business outcomes of the cloud transformation could include:

  • Globalizing the business using systems of engagement
  • Changing the corporate mindset from treating IT as an expensive, scarce resource to it being more like electricity – plentiful, readily accessible, with use-based pricing
  • Changing the IT funding model from capitalized discrete solutions to instant-access, “pay-as-you-go,” shared services
  • Changing business product development from relying on customized, “bespoke” automation to the adoption of standard services (i.e., renting a service that performs a standard business function instead of buying a server that processes custom-built applications)
  • Fostering product innovation by facilitating rapid prototyping, minimizing custom development, eliminating start-up overheads, and optimizing integration and re-use of assets

If cloud computing proves to be the most appropriate solution for multiple business issues (as might be demonstrated by the emergence of “shadow IT”), then a corporate policy that gives preference to (or even mandates) the cloud transformation would make sense.

The emergence of government cloud-related policies in the USA, the UK, Australia, Hong Kong, the European Union and China are examples of how this is being implemented in the public sector.

A Cloud First Policy could include such topics as:

  • Conditions for acceptable use of cloud resources and cloud-resident information
  • Scope of applicability – endorsement for certain classes of application
  • Governance requirements and processes
  • Harmonization across divisions and products
  • Risk positioning – security/privacy/compliance
  • Legal and auditing best practices
  • Avoidance of shadow IT, cloud sprawl and service duplication
  • Procurement – adaptation of methods for selecting and contracting with cloud service providers
  • Cloud management best practices including reporting, access control and authorities

Does your organization have a Cloud Business Policy?  Are you planning to create one?  If no, why not?

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Don Sheppard
Don Sheppard
I'm a IT management consultant. I began my career in railways and banks after which I took up the consulting challenge! I try to keep in touch with a lot of different I&IT topics but I'm usually working in areas that involve service management and procurement. I'm into developing ISO standards, current in the area of cloud computing (ISO JTC1/SC38). I'm also starting to get more interested in networking history, so I guess I'm starting to look backwards as well as forwards! My homepage is but I am found more here.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight