End users. Can’t live with them, can’t live without them. When procuring new IT solutions – a new opportunity for them in a corporate environment—they often like quick, flexible, and cheap. When working with current IT models, they value secure, scalable, and bullet-proof. Over the years, successful IT leaders have learned to help guide (read: manage) them through those trade-offs in a well-defined and disciplined approach.
Then along came cloud. For many consumers, cloud offerings seem to provide all that they are looking for, without the bothersome trade-offs. They are being told public cloud offerings can provide quick, cheap, secure, and scalable solutions. The beachhead for this type of messaging is often found on the fringes of enterprise-wide applications – just out of the reach and influence of traditional IT governance.
Many IT leaders have been caught a little flat footed with the recent marketing of cloud services to their constituencies, with the looming question being whether they should annex public cloud solutions from under the “control” of centralized IT governance wherein IT has authority over what can be purchased and how it can be deployed. This concept is counter to the pervasive centralization that for years has been justified by reasonable arguments around security, leveraged spend, and internal efficiencies.
So, what is the role of IT governance in the procurement of public cloud services?
On one hand, empowering end users and small groups within the enterprise to make their own decisions can improve the agility of the organization. Users can augment the enterprise portfolio to better meet needs with publicly available solutions. Demand can be harnessed by capabilities in the marketplace and budgets, not by the capacity of internal IT. Organizations empower their employees to make business decisions everyday to meet the firm’s objectives, so why restrict their judgment when it comes to IT solutions?
On the other hand, decentralizing IT decisions can bring about a host of issues that traditional IT governance handles well, e.g., architectural considerations such as interoperability, portability, security, and disaggregation of strategic information. With centralization, financial management can ensure the enterprise is optimizing spend, decommissioning underutilized services, and managing internal allocation models.
We believe the best course of action is to proactively define characteristics that a public cloud solution must have in order for the end user population to directly purchase services. One straightforward way to accomplish this is for the IT governance organization to publish a solution verification checklist. If the desired public cloud solution meets all the criteria on the list, the user has the authority to purchase directly from the cloud provider.
Examples of criteria on the “Yes” (the end user has the authority to purchase)/”If” (the proposed public cloud solution) list include:
- Complies with the enterprise’s security requirements
- Follows or preserves the business rules, business logic and data constraints pertinent to the information being processed
- Preserves the integrity of the data and, if applicable, returns data to enterprise systems in an acceptable format and without data loss
- Supports the integrity of the enterprise technical architecture
- Does not sub-optimize the enterprise’s spend in any significant way
- Does not require any resources within IT to support the solution
- Fits within the acquiring entity’s budget constraints
Empowering users in this way, while not without risk, can enable the business in ways IT organizations often profess – speed being the primary. One of the emerging roles of IT governance is ensuring the enterprise’s needs are not compromised by the individual’s pursuit of cloud solutions. As we will explore in our next entry in this series, IT governance organizations have to find smart and sound ways to say yes, or run the risk of losing visibility into their users’ consumption of IT.