With all the buzz on cloud migration, IT industry experts have insisted that enterprises need a corporate cloud computing policy, but is it really necessary for cloud success?  Is an explicit cloud policy essential, nice to have, or optional?

By cloud policy, I mean an enterprise-wide cloud governance statement of direction, not just a tactical IT directive or a departmental purchasing rule.  Enterprise policies typically cover business critical topics such as:

  • Product – what business do you want to be in (and not in)?
  • Personnel – rules for human resources, ethical behaviour and fairness
  • Legal – commitment to meet regulatory, compliance and government relations requirements
  • Finances – practices for accounting, use of capital and delegation of authority

Traditional IT is typically not the subject of explicit business policies.  Why does cloud computing warrant being elevated to a higher level?  The table below compares “legacy” IT to cloud-based IT, and illustrates some of the major differences.

Traditional ITCloud-based IT
Business impactAutomates systems of record; asset-based; technology-driven; business process focusAutomates systems of engagement and possibly record; service-driven; shared assets; customer transaction focus
CustomerSupports internal HQ and branch access; includes basic Web presenceAlso supports social networks and self-service transactions; supports interactive Web and mobile e-commerce
ControlOwned, managed and controlled by the internal IT departmentManaged by the IT department with distributed external ownership, control and operation
Agility and speedSlow, evolutionary change; customized apps; proprietary technologiesAgile development; rapid deployment; standard services; open technologies
Geographic reachPrimarily in-house and local (e.g., bank branches, physical stores, offices)Global reach through the Web, social networks and mobile devices
IntegrationVertical (all components are in-house) with some external horizontal linksHybrid internal/external solutions with distributed products and shared operations
PersonnelCentralized technical staff with specialized planning, development and operations expertiseOutsourced operational staff; packaged off-the-shelf services; expanded relationship management functions
Legal complianceCompliance requirements managed internallyInternal and external compliance and auditing required
FinancialMixed capital and operating costs; high salary expenses; long term investmentsPrimarily operating expenses; reduced salary expenses; resources on a pay-for-use basis
InnovationMajority of investment is to improve the status quo; innovation can be slow and costlySignificantly increased agility; much lower cost for service trials; lower overhead for development and testing; new innovations are results-driven


The chart above implies that a transformation to cloud-based IT could indeed be business strategic with a requirement for overarching policies (as opposed to project-by-project business cases).

For example, strategic business outcomes of the cloud transformation could include:

  • Globalizing the business using systems of engagement
  • Changing the corporate mindset from treating IT as an expensive, scarce resource to it being more like electricity – plentiful, readily accessible, with use-based pricing
  • Changing the IT funding model from capitalized discrete solutions to instant-access, “pay-as-you-go,” shared services
  • Changing business product development from relying on customized, “bespoke” automation to the adoption of standard services (i.e., renting a service that performs a standard business function instead of buying a server that processes custom-built applications)
  • Fostering product innovation by facilitating rapid prototyping, minimizing custom development, eliminating start-up overheads, and optimizing integration and re-use of assets

If cloud computing proves to be the most appropriate solution for multiple business issues (as might be demonstrated by the emergence of “shadow IT”), then a corporate policy that gives preference to (or even mandates) the cloud transformation would make sense.

The emergence of government cloud-related policies in the USA, the UK, Australia, Hong Kong, the European Union and China are examples of how this is being implemented in the public sector.

A Cloud First Policy could include such topics as:

  • Conditions for acceptable use of cloud resources and cloud-resident information
  • Scope of applicability – endorsement for certain classes of application
  • Governance requirements and processes
  • Harmonization across divisions and products
  • Risk positioning – security/privacy/compliance
  • Legal and auditing best practices
  • Avoidance of shadow IT, cloud sprawl and service duplication
  • Procurement – adaptation of methods for selecting and contracting with cloud service providers
  • Cloud management best practices including reporting, access control and authorities

Does your organization have a Cloud Business Policy?  Are you planning to create one?  If no, why not?