Before The Cloud, IT spending and IT policy were tightly controlled. Now end-users can whip out a credit card and acquire IT services on the fly. First there was server sprawl. Then VM sprawl. Do we need policies to prevent cloud sprawl?
Lori Janjigian, VP of client marketing at Focus, got to the heart of the matter when she asked: “Is there a need for a cloud policy? What should it cover? How broad should it be in terms of what (purchasing, consumption, security) and who (IT, employees, supply-chain partners, vendors)? Who should own it, and how should it be developed (top-down, bottom-up, crowdsourced)? How often should it be reviewed?”
It’s no surprise that the experts who responded were emphatically pro-policy. But their road maps for reigning in cloud sprawl took some intriguing turns.
Anders Trolle-Schultz, managing partner at SaaS-it Consult, insists that IT must hold the keys to the kingdom where policy is concerned. As he sees it, the entire organization shouldn’t get to vote cloud policies up or down; rules and regulations should instead “be born from within the IT department, as part of the overall IT strategy for the company. Just because cloud services are much easier to consume and pay for by the employees, doesn’t necessarily imply that they should be able to do so.”
Barry Schaeffer, principal consultant at Content Life Cycle Consulting, suggests that policy should be “grounded on what The Cloud actually is: a series of remote service bureau vendors and services, all competing and all approaching their services from slightly different perspectives.” No company should take on The Cloud without a comprehensive policy, Schaeffer says, that details “how to choose and monitor a vendor; how to protect the assets turned over to the vendor; and what to do if things go south. To do otherwise would be like cranking the Titanic up to 22 knots on a moonless night, without binoculars in the crow’s nest.”
BrainWave Consulting’s Andrew S. Baker agrees that IT should set cloud policy, but he believes it’s an opportunity for IT to play the hero rather than the scold—provided IT keeps policies as uncomplicated as possible. “The maturity level of the organization should be one key consideration for how detailed or complex the policies should be,” Baker says, “but in general, simpler is better.”
Baker adds that cloud policy should “cover things like how the organization intends to use the cloud, and what the basic rules of solution procurement will be.” He thinks the time has come for both large and small organizations to understand “that IT is not just about tasks performed or technology purchased, but about people, processes, and tools that need to be managed. Corporate governance, of which IT governance should be a key part, is something that every organization needs. … Rather than the cloud representing a negative for IT departments and staff, it could prove to be a major catalyst in cementing their role at the table of corporate governance and stewardship.”
SummaLogic’s Robert Keahey admits that cloud computing is “technologically disruptive in many ways (e.g., BYOD),” but he maintains that “with agility and flexibility comes some unexpected and unwanted side effects.” Developing a cloud policy “doesn’t need to be all-encompassing and agonizingly detailed,” Keahey says, lest it risk becoming “burdensome to the point that organizations will spend more energy and money trying to circumvent it than they do leveraging it for the good of the company.”
He recommends that various departments craft cloud policy, including “legal, IT, the CIO, and CSO to name a few.” Most importantly, he says, “the policy team must include people (business unit reps) who will be the beneficiaries of the company’s cloud computing strategy. Ownership and buy-in by the user community is essential.”
Finally, Keahey sees setting cloud policy as a chance to educate: “A key aspect of the policy should be its educational value,” he says. “Cloud computing has many definitions—why not explain your company’s view of it to the employees? We spend a lot of time and money on training for new HR policies, product training, process training. Companies should do the same for this new service model that holds the potential to dramatically change their capability to deliver goods and services and reshape their markets.”
Has your business formalized its cloud computing policy? Who helped draft the guidelines? Or is your company avoiding the issue altogether? Are you concerned about cloud sprawl creeping in through your business’s back door? Share your experience in the comments below.
About the Author
Alec Wagner is a writer, editor, custom content specialist, and content marketing professional. A former managing editor of infoworld.com, he has trained his eye on the enterprise technology space for more than a dozen years. A longtime digital nomad, he divides his time between San Francisco and the South of France. He remembers to thank The Cloud daily for enabling his globetrotting ways.