With all the buzz on cloud migration, IT industry experts have insisted that enterprises need a corporate cloud computing policy, but is it really necessary for cloud success? Is an explicit cloud policy essential, nice to have, or optional?
By cloud policy, I mean an enterprise-wide cloud governance statement of direction, not just a tactical IT directive or a departmental purchasing rule. Enterprise policies typically cover business critical topics such as:
- Product – what business do you want to be in (and not in)?
- Personnel – rules for human resources, ethical behaviour and fairness
- Legal – commitment to meet regulatory, compliance and government relations requirements
- Finances – practices for accounting, use of capital and delegation of authority
Traditional IT is typically not the subject of explicit business policies. Why does cloud computing warrant being elevated to a higher level? The table below compares “legacy” IT to cloud-based IT, and illustrates some of the major differences.
| Traditional IT | Cloud-based IT | |
| Business impact | Automates systems of record; asset-based; technology-driven; business process focus | Automates systems of engagement and possibly record; service-driven; shared assets; customer transaction focus |
| Customer | Supports internal HQ and branch access; includes basic Web presence | Also supports social networks and self-service transactions; supports interactive Web and mobile e-commerce |
| Control | Owned, managed and controlled by the internal IT department | Managed by the IT department with distributed external ownership, control and operation |
| Agility and speed | Slow, evolutionary change; customized apps; proprietary technologies | Agile development; rapid deployment; standard services; open technologies |
| Geographic reach | Primarily in-house and local (e.g., bank branches, physical stores, offices) | Global reach through the Web, social networks and mobile devices |
| Integration | Vertical (all components are in-house) with some external horizontal links | Hybrid internal/external solutions with distributed products and shared operations |
| Personnel | Centralized technical staff with specialized planning, development and operations expertise | Outsourced operational staff; packaged off-the-shelf services; expanded relationship management functions |
| Legal compliance | Compliance requirements managed internally | Internal and external compliance and auditing required |
| Financial | Mixed capital and operating costs; high salary expenses; long term investments | Primarily operating expenses; reduced salary expenses; resources on a pay-for-use basis |
| Innovation | Majority of investment is to improve the status quo; innovation can be slow and costly | Significantly increased agility; much lower cost for service trials; lower overhead for development and testing; new innovations are results-driven |
The chart above implies that a transformation to cloud-based IT could indeed be business strategic with a requirement for overarching policies (as opposed to project-by-project business cases).
For example, strategic business outcomes of the cloud transformation could include:
- Globalizing the business using systems of engagement
- Changing the corporate mindset from treating IT as an expensive, scarce resource to it being more like electricity – plentiful, readily accessible, with use-based pricing
- Changing the IT funding model from capitalized discrete solutions to instant-access, “pay-as-you-go,” shared services
- Changing business product development from relying on customized, “bespoke” automation to the adoption of standard services (i.e., renting a service that performs a standard business function instead of buying a server that processes custom-built applications)
- Fostering product innovation by facilitating rapid prototyping, minimizing custom development, eliminating start-up overheads, and optimizing integration and re-use of assets
If cloud computing proves to be the most appropriate solution for multiple business issues (as might be demonstrated by the emergence of “shadow IT”), then a corporate policy that gives preference to (or even mandates) the cloud transformation would make sense.
The emergence of government cloud-related policies in the USA, the UK, Australia, Hong Kong, the European Union and China are examples of how this is being implemented in the public sector.
A Cloud First Policy could include such topics as:
- Conditions for acceptable use of cloud resources and cloud-resident information
- Scope of applicability – endorsement for certain classes of application
- Governance requirements and processes
- Harmonization across divisions and products
- Risk positioning – security/privacy/compliance
- Legal and auditing best practices
- Avoidance of shadow IT, cloud sprawl and service duplication
- Procurement – adaptation of methods for selecting and contracting with cloud service providers
- Cloud management best practices including reporting, access control and authorities
Does your organization have a Cloud Business Policy? Are you planning to create one? If no, why not?