Does your enterprise even need a formal cloud policy?

With all the buzz on cloud migration, IT industry experts have insisted that enterprises need a corporate cloud computing policy, but is it really necessary for cloud success? Is an explicit cloud policy essential, nice to have, or optional?

By cloud policy, I mean an enterprise-wide cloud governance statement of direction, not just a tactical IT directive or a departmental purchasing rule. Enterprise policies typically cover business critical topics such as:

Product – what business do you want to be in (and not in)?
Personnel – rules for human resources, ethical behaviour and fairness
Legal – commitment to meet regulatory, compliance and government relations requirements
Finances – practices for accounting, use of capital and delegation of authority

Traditional IT is typically not the subject of explicit business policies. Why does cloud computing warrant being elevated to a higher level? The table below compares “legacy” IT to cloud-based IT, and illustrates some of the major differences.

	Traditional IT	Cloud-based IT
Business impact	Automates systems of record; asset-based; technology-driven; business process focus	Automates systems of engagement and possibly record; service-driven; shared assets; customer transaction focus
Customer	Supports internal HQ and branch access; includes basic Web presence	Also supports social networks and self-service transactions; supports interactive Web and mobile e-commerce
Control	Owned, managed and controlled by the internal IT department	Managed by the IT department with distributed external ownership, control and operation
Agility and speed	Slow, evolutionary change; customized apps; proprietary technologies	Agile development; rapid deployment; standard services; open technologies
Geographic reach	Primarily in-house and local (e.g., bank branches, physical stores, offices)	Global reach through the Web, social networks and mobile devices
Integration	Vertical (all components are in-house) with some external horizontal links	Hybrid internal/external solutions with distributed products and shared operations
Personnel	Centralized technical staff with specialized planning, development and operations expertise	Outsourced operational staff; packaged off-the-shelf services; expanded relationship management functions
Legal compliance	Compliance requirements managed internally	Internal and external compliance and auditing required
Financial	Mixed capital and operating costs; high salary expenses; long term investments	Primarily operating expenses; reduced salary expenses; resources on a pay-for-use basis
Innovation	Majority of investment is to improve the status quo; innovation can be slow and costly	Significantly increased agility; much lower cost for service trials; lower overhead for development and testing; new innovations are results-driven

The chart above implies that a transformation to cloud-based IT could indeed be business strategic with a requirement for overarching policies (as opposed to project-by-project business cases).

Related Articles

Peering into the 2015 crystal ball – the clouds will reign

For example, strategic business outcomes of the cloud transformation could include:

Globalizing the business using systems of engagement
Changing the corporate mindset from treating IT as an expensive, scarce resource to it being more like electricity – plentiful, readily accessible, with use-based pricing
Changing the IT funding model from capitalized discrete solutions to instant-access, “pay-as-you-go,” shared services
Changing business product development from relying on customized, “bespoke” automation to the adoption of standard services (i.e., renting a service that performs a standard business function instead of buying a server that processes custom-built applications)
Fostering product innovation by facilitating rapid prototyping, minimizing custom development, eliminating start-up overheads, and optimizing integration and re-use of assets

If cloud computing proves to be the most appropriate solution for multiple business issues (as might be demonstrated by the emergence of “shadow IT”), then a corporate policy that gives preference to (or even mandates) the cloud transformation would make sense.

The emergence of government cloud-related policies in the USA, the UK, Australia, Hong Kong, the European Union and China are examples of how this is being implemented in the public sector.

A Cloud First Policy could include such topics as:

Conditions for acceptable use of cloud resources and cloud-resident information
Scope of applicability – endorsement for certain classes of application
Governance requirements and processes
Harmonization across divisions and products
Risk positioning – security/privacy/compliance
Legal and auditing best practices
Avoidance of shadow IT, cloud sprawl and service duplication
Procurement – adaptation of methods for selecting and contracting with cloud service providers
Cloud management best practices including reporting, access control and authorities

Does your organization have a Cloud Business Policy? Are you planning to create one? If no, why not?