Exploring the Cloud Governance Lifecycle™
Accelerating the Transition to a Cloud-Centric
An IT Executive Perspective™ from AgilePath Corporation
January 24, 2011
AGILEPATH CORPORATION 38 MERRIMAC. STREET NEWBURYPORT, MA 01950
“Accelerating Enterprise Agility”
Executive Summary Cloud computing is high on the Gartner Group hype cycle for many reasons. The good reasons focus on the
compelling benefits offered by Cloud computing to adopters, regardless of the public-private-hybrid Cloud
deployment scenarios, and regardless of the pattern of Cloud desired. The benefits will ultimately be realized as
this technology matures and becomes mainstream. However, a number of Cloud obstacles remain to be
addressed, including the security concerns, the lack of industry standards for APIs, and ensuring cloud
portability, interoperability and integration.
However, a larger challenge remains, which is the topic of focus in this whitepaper: Cloud Governance.
AgilePath feels that a Cloud Governance framework will not only help large enterprises make the best strategic
and architectural choices with respect to Cloud, but will provide a next generation IT resource management
model that will pave the way for the future of IT organizations going forward.
For Commercial and Federal Government organizations, Cloud computing and Cloud governance will bring
important changes to the ways in which IT resources and capabilities are specified, architected, acquired,
implemented, integrated, managed, provisioned, consumed, and ultimately retired. This whitepaper offers not
only an end-to-end view of Cloud governance, but it paints a future vision for Information Technology that will
help it remain relevant in an age where, increasingly, IT organizations are disintermediated from their business
customers by global forces of outsourcing, managed services and public Clouds, while demand for customer
service, reliability, performance and results remains high. IT must adapt to these forces, and the Cloud
Governance Lifecycle offers a way out of the quandary. We call organizations that adopt this approach Cloud-
Centric Leadership Organizations.
Cloud-Centric Leadership organizations have an opportunity to be proactive with Cloud computing, both from a
technical and architecture perspective, but more importantly from an acquisition, governance and management
perspective. This whitepaper details a course of action that is both daring yet pragmatic, and offers a vision for
the IT organization of the future.
The Cloud Governance Lifecycle offers a pathway to an integrated model for managing, provisioning and
governing for all IT resources, whether they are internal resources, 3rd party managed services, or public cloud
resources. An integrated Cloud resource management framework will allow consistent strategy, architecture
acquisition and resource provisioning, supported by IT policies, for the consumption of resources, with the
support of a new IT governance capability. Fortune favors the bold. IT leadership must act quickly and
decisively to establish an integrated model for IT resource management, and provide a means to optimize total
lifecycle costs for all IT resources.
Introduction Every new technology trend usually creates a vacuum in the form of key IT disciplines that will help with the
adoption, insertion and value creation from that new technology. Information Technology (IT) acquisition
processes tend to be strained with new technologies. There is typically a lack of industry standards for the new
technologies. Proven methodologies and guidance as to how best to adopt these new technologies are almost
always missing. And finally, Enterprise IT governance processes tend to strain or fracture with the rise of new
The new IT buzz centers on Cloud computing. Cloud computing will challenge existing IT management and
governance paradigms much as previous technology trends did. This white paper explores the impact of Cloud
computing on IT governance, and develops the concept of a Cloud Governance Lifecycle. In reality, Cloud
computing requires a lifecycle of lifecycles, depending on the approach an organization pursues with Cloud. As
this exciting technology trend accelerates, the governance issues will become increasingly critical.
Definition of Cloud Governance Cloud Governance is a new concept, and so we must spend some time on terminology. Cloud Governance
refers to the decision making processes, criteria and policies involved in the planning, architecture, acquisition,
deployment, operation and management of a Cloud computing capability.
Cloud governance in many respects resembles SOA governance, except that Cloud is focused on a different type
of enterprise resources, or Services, that may or may not overlap with SOA services. Both SOA and Cloud
computing are service-oriented architectures at their core. Both have Consumers and Providers, connected
together by a service contract and service-level agreements (SLA). Both are trust-based resource models, in
which consumers have a dependency on the provider to ensure reliably and assurance that the needed
resources will be there when they are needed.
SOA capabilities can be embedded in and delivered by a Cloud architecture, or Cloud can be applied to the
infrastructure services of a SOA strategy. Of course, combinations of both can also be contemplated. However,
the relative newness of Cloud demands more focused attention on its unique governance requirements. To that
end, we have developed a Cloud Governance Lifecycle model.
The proposed Cloud Governance Lifecycle™ describes the end-to-end requirements of Cloud Governance, from
planning, architecture and deployment to bursting, switching Cloud providers, and offboarding from a Cloud in
the event an organization chooses to move capabilities back in-house from a public Cloud, or even migrate them
to dedicated infrastructure resources.
Framing the Cloud Governance Challenge Developing a Cloud computing governance lifecycle requires some work to frame the scope of the problem,
especially given the immaturity of Cloud computing and the broad range of solutions it encompasses. With
NIST’s simple model of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service
(SaaS), we can frame the discussion at a fundamental level. However, given that there are many variations of
clouds, or cloud patterns, that can be created and deployed based on a rich set of potential business use cases,
we need an extensible approach that can cover them all. While NIST’s model is a start, it by no means reflects
the richness and variety of Cloud patterns in the industry.
The choice of Cloud deployment patterns also adds a layer of complexity on the Cloud Governance Lifecycle
discussion. Whether you deploy an internal private Cloud, or leverage public cloud service offerings, or go with
a hybrid approach that leverages the best of both worlds, you must still understand the complete cloud
governance lifecycle requirements. There is no free lunch, as they say, but there may be a different or a better
lunch, or you may eat in or dine out. Someone must take responsibility for the intersections of the various
Cloud governance requirements.
Introducing the Cloud Governance Lifecycle The Cloud Governance Lifecycle encompasses five broad categories of requirements, as illustrated in Figure 1
Figure 1: Cloud Governance Categories
These Cloud governance categories are described in the sections that follow.
Cloud Strategy and Planning: Describes the processes and policies that relate to Cloud strategy development,
planning, business case development, analysis of alternatives, go/no go criteria, and related Cloud planning
Cloud Architecture, Design and Deployment: Describes the processes and policies relating to development of a
Cloud Reference Model, a supporting Cloud Reference Architecture, and ultimately the design and deployment
of a Cloud (Internally) or to a Cloud (externally) based on Cloud use cases, documentation of appropriate Cloud
enablement and deployment patterns. Also included in this section are Cloud security models and architectures,
which will be critical to success of all Cloud deployments.
Cloud Acquisition, Vendor Selection and Negotiation: Describes the processes and policies focused on Cloud
acquisition, vendor evaluation, comparison and selection, and contract negotiations, which must include SLA
definition, Quality of Service definition, and appropriate security, business assurance and operational
Resource Provisioning and Management: This tier of Cloud governance focuses on the processes and policies
surrounding requirements for resource enablement, installation and readiness, provisioning and management.
These activities are all about establishing the Cloud resource pool, providing access to and provisioning those
resources, and ultimately managing the Cloud resources.
Cloud Operations and Runtime Management: Describes the processes and policies focused on the operational
management of a Cloud, including the monitoring, network and systems management functions, capability
monitoring, alarming and fault notification, and all related operational and runtime management processes.
Taken together, these five areas of Cloud Governance can be represented as an end-to-end set of connected
processes that should be considered when determining what a particular organization’s Cloud Governance
Lifecycle should be. The end-to-end view of the Cloud Governance Lifecycle is described below.
The Detailed End-to-End Cloud Governance Lifecycle The detailed Cloud Governance Lifecycle is illustrated in Figure 2 below. While the chevrons denote high-level
activities of the Cloud Governance Lifecycle, in reality there are many fine-grained details required to design and
implement a robust end-to-end Cloud Governance model.
Figure 2: Detailed Cloud Governance Lifecycle Overview
The major activities of the Cloud Governance Lifecycle are explored in the sections below.
Cloud Strategy & Planning The Cloud Strategy and planning process, at a high level involves making clear choices about what Cloud
computing means to an organization, what mission, business and IT challenges are making you consider Cloud
solution, and formally documenting a Cloud strategy that enables the enterprise. The high-level steps involved
in this strategic level of Cloud governance are illustrated below.
The governance requirements here focus on a business- and mission-aligned Cloud strategy, with explicit formal
documentation of what a Cloud strategy will do for the enterprise in cost savings, mission enablement, IT
operating efficiencies, optimization of resources, and more. Ultimately, the governance decision at this level is
whether to formally pursue Cloud computing, or to wait and see. A bridging tactic might be to experiment with
Proof of Concepts and Pilots, which will help make the strategic decisions about Cloud less risky.
Cloud Architecture, Design and Deployment The Cloud Architecture, Design and Deployment processes involve critical governance requirements related to
Cloud Reference Model and Reference Architecture development, alignment to key Cloud industry standards
(which are admittedly immature), Cloud solution design (for your unique Cloud enablement and deployment
pattern requirements), Cloud security, Cloud integration, interoperability and portability, and also Cloud testing,
quality assurance. The key activities are illustrated below.
The Cloud Architecture, Design and Deployment activities must explicitly address Cloud security, should
embrace the lack of mature Cloud standards until they mature, and must also investigate models for distributed
testing of Cloud-enabled capabilities for the diverse range of Cloud enablement patterns and deployment
patterns. Cloud architecture governance is very important in the early stages of adoption!
Cloud Acquisition and Contracting Cloud Acquisition and Contracting governance activities focus on Cloud acquisition, vendor evaluation,
comparison and selection, and contract negotiations, which must include SLA definition, Quality of Service
definition, and appropriate security, business assurance and operational requirements. Key activities are
The primary thrust of Cloud Acquisition and Contracting governance is to bring discipline and proactive
contracting processes to bear on the emerging Cloud domain, especially given that many organizations are using
public Clouds to bypass their current slow and outdated IT acquisition and governance processes to meet
market place and business demands.
Resource Provisioning and Management Cloud Resource Provisioning and Management governance processes center on requirements for capacity
planning, ensuring the Cloud resource pool is elastic and dynamically provisionable, and that you can plan
capacity ahead of demand for that capacity. Just-in-time capacity, in a Cloud-centric world, is too late. The
Cloud business and operating model must be anticipatory and proactive. Key activities for this group of
requirements are illustrated below.
These activities are all about establishing the Cloud resource pool, ensuring it is dynamically provisionable, that
it not only meets mission and business needs but anticipates them. These processes must provide access to and
provision those resources, and ultimately manage the Cloud resources per the Cloud strategy and operating
model that is desired. Other key activities here include Cloud monitoring, management, operations and
support, maintenance, versioning and sustainment of the Cloud environment on behalf of its consumers.
Cloud Contingency Planning and Resource/Provider Management Cloud Contingency Planning and Resource/Provider Management focuses on the governance processes and
activities that enable a robust, reliable and agile Cloud environment to be established. The major types of
activities for Cloud contingency planning are illustrated below.
The Cloud contingency planning requirements include explicit plans for Cloud busting, or leveraging public Cloud
resources in times of peak demand, switching Cloud service providers, migrating from private to public and back,
as needed, and even offboarding from a public Cloud back to your internal Cloud. Governance requirements
here should also address continuity of operations (COOP), disaster recovery (DR) scenarios, back-up procedures,
and other related needs.
Implications for IT Leadership and Cloud-Centric Leadership Organizations The Cloud Governance Lifecycle above provides a structured basis for CIOs, CTOs and Chief Architects to plan,
architect, acquire and operate a Cloud-enabled environment in support of their business, mission and IT
objectives. However, the greater opportunity for IT leaders is to establish an integrated Cloud management and
governance framework, layered over a hybrid or private-hybrid Cloud architecture, and begin to define and
implement the IT organizational and operating model of the future. This approach is the pathway to becoming a
Cloud-Centric Leadership Organization.
IT Leadership must begin to proactively acquire and broker IT resources, as a set of integrated, managed Cloud-
enabled resources, and provision them in the “capacity-ahead-of-demand” model described above. IT
Leadership must create an environment where it can manage all IT resources – infrastructure, data center,
application middleware, application platforms, and even SaaS-based applications – through a singular IT
governance construct, and essentially empower their internal business consumers to self-service access to IT
resources and capabilities. An integrated Cloud management and governance framework will enable Cloud
resource consumers to compare prices, evaluate offerings, service levels, and ultimately consume only the IT
resources they want, when they want, yet in a proactive model that is established, managed and maintained by
the IT organization. IT organizations of the future must act as the relationship manager to all business units and
consumers of IT resources. IT organizations must once again become the trusted acquisition agent, broker and
provisioner of all IT resources, regardless of whether they are internal, external or managed services from
IT Leadership must envision and realize the processes of the Next Generation of IT. The new role of IT
Leadership is illustrated in the figure below, and each of these requirements is explained in the sections that
Enterprise Services Computing Strategy: IT Leadership must define a comprehensive framework for Enterprise
Services Computing, which includes SOA, Cloud and all managed services, again irrespective of whether they are
internal, external or managed services provided by trusted partners.
Business/Mission Relationship Management: IT Leadership must define processes and roles to become a
trusted advisor, partner and relationship manager for its business units, key programs and projects, and IT
resource consumers. As with the IT organization of the future, in order to avoid disintermediation, IT
organizations must be relevant and proactive on behalf of its consumers.
IT Resources Acquisition & Contracts Management: IT Leadership must proactively establish relationships,
acquisition processes, contracts and SLAs with potential IT resource providers, again, in a capacity-ahead-of-
demand paradigm. Based on the Business/Mission Relationship Management role described above, IT
Leadership can begin to develop the acquisition and contracts necessary to support anticipatory provisioning of
Cloud services and other IT resources to its business and mission consumers.
IT Resource Portfolio Management: IT Leadership must develop an integrated portfolio of Enterprise
computing resources, including Cloud services, infrastructure services, SOA services, managed services and
other, and allow the transparent comparison of the prices, SLAs, availability, and other terms and conditions,
such that the consumers can easily access, consume and manage based on a self-service, self-governance
model. IT Leadership will manage investments in the portfolio, optimize choices and drive standardization, and
in this way achieve tremendous savings in IT spending.
IT Resources Brokering: IT Leadership must use the Cloud governance concepts in this whitepaper to create an
IT resource brokering role , supported by self-service portals, Cloud management and governance processes,
policies and technologies. In this manner, IT Leadership can become the master service broker to its business
partners and end-users in a proactive fashion.
Integrated IT Resources Management: IT Leadership must implement a framework in which it can manage all IT
services as integrated capabilities, acquired and deployed, managed and provisioned, accessed and consumed,
and versioned and maintained using an integrated resources management model. This approach includes Cloud
governance lifecycle processes, technical capabilities, and a new approach to managing IT resources.
A Cloud-Centric Leadership Vision for IT Based on the model above, IT Leadership can achieve this vision of the IT organization of the future. If IT
leadership chooses to pursue this model, the following vision statements might become reality.
Cloud-Centric Leadership Organizations will redefine the role of the CIO and the IT organization based
on a model of integrated resource management, Cloud-centric governance lifecycle principles, and the
relationship management/resource broker model. This model is the future, and it is closer to reality
than many would care to admit.
Cloud-Centric Leadership Organizations will achieve better optimization of their IT spending on all IT
resources and services, from internal providers, external/3rd party providers, and trusted managed
services and solution partners. This will enable competition and price comparisons, which will create a
consumer-friendly environment while encouraging a cost-optimized environment.
Cloud-Centric Leadership Organizations will establish internal benchmarks for Cloud services to
compare with those of internal and third party public Cloud service providers, which will create a
transparent model by which it can manage IT spending. IT resource providers in this equation will
include any internal or external entity that provides IT resources.
Cloud-Centric Leadership Organizations will deploy hybrid or private-hybrid Clouds that will establish
the technical resource delivery framework for such a model, essentially becoming an internal
relationship manager and integrated services broker for internal, 3rd party and all IT services. While the
Cloud implementation is critical to enabling this integrated resource management and governance
model via the Cloud Governance Lifecycle, you must remember that implementation of the supporting
Cloud management and governance framework is equally critical to the aggregation and integrated
management and provisioning of all IT and Cloud resources.
Cloud-Centric Leadership Organizations can manage and provision highly differentiated business and
IT services and provide them to external consumers, essentially creating new revenue opportunities
and new pathways to innovation. Cloud computing will introduce a new innovation engine by lowering
the threshold and eliminating barriers to IT capabilities. Internal innovation and rapid time to market
will be the result when IT resources are unshackled from outdated IT governance processes that
emphasized “slow” and “no” over “Why not?” and “How fast would you like it?” Cloud-Centric
Leadership Organizations will become enablers to internal innovation by unleashing its IT capacity from
Cloud-Centric Leadership Organizations will proactively define and implement the Cloud Governance
Lifecycle framework for integrated services management, procurement, provisioning, cost
allocation/chargeback, resource management and brokering, and in doing so will leap ahead of its
competitors and peers with the vision, processes and capabilities to realize the benefits of a Cloud-
This Cloud-Centric vision of the future can be amplified and expanded, but the key points have been made. Your
IT future is here, and you can embrace the opportunity or stand pat with a status quo approach. Again, fortune
favors the bold.
A Cloud-Centric Leadership Action Plan Should your organization choose to act on these concepts, the following activities might be considered as a high-
level action plan that will transition you to a Cloud-Centric Leadership Organization:
First, you must define the Cloud management and governance strategy, architecture and business case
(Cloud focus, metrics, savings and synergies) quickly to understand the investments, savings, and
operating model of this approach.
Next, you must define your Cloud Management and Governance (CMaG) Lifecycle processes, by
adapting the Cloud Governance Lifecycle above to your needs and requirements, and integrating it into
current Enterprise and IT governance processes.
Third, you must select and deploy a Cloud Management platform to integrate, manage, broker and
provision Integrated Cloud Resources per the model above. This will require vendor evaluation,
selection, pilots/proof of concepts, and the normal due diligence to ensure fit to the vision we have
Fourth, you should implement an appropriate Cloud computing platform to enable integrated
management and provisioning of internal and external resources. Whether you choose a hybrid
Cloud, or a private-hybrid Cloud, depending on your security requirement and business objectives, keep
in mind that the Cloud is an enabler, while the Cloud Management and Governance model is the secret
sauce. Integrated Cloud management and governance will enable the transition to the Cloud-Centric
Leadership Organization we have described above.
Next, you must integrate the Cloud Governance Lifecycle into your Acquisition, IT Governance and
Program Management Processes, which will enable the proactive, IT resources brokering construct to
Finally, you must gather empirical data and metrics to validate the business model for integrated
Cloud management and governance according to your version of the Cloud Governance Lifecycle. You
must have the data and metrics to enable transparent comparison of products/IT capabilities, prices,
SLAs, availability, performance metrics for all internal and external IT resources. This will create a Cloud
resource marketplace that ensures your business customers have choices and transparent pricing to
make the best decisions, all within a model proactively created by the Cloud-Centric Leadership
Organization of the future.
Summary This whitepaper establishes the foundation of a Cloud Governance Lifecycle, which is the basis for not only
managing and governing your current or future Cloud, but for transitioning into a Cloud-Centric Leadership
Organization. The Cloud Governance Lifecycle must be adapted to your enterprise, and integrated into existing
IT governance processes. However, do not hamstring your future Cloud governance requirements by anchoring
them to an outdated and inefficient legacy IT governance model. Remember, Cloud is an agility-enabling
capability, and should not be bolted onto an inherently cumbersome and slow legacy IT governance model. To
accelerate the transition to a Cloud-Centric Leadership Organization, leverage the action plan above and make it
work for your enterprise. In parallel with planning your Cloud, plan the Cloud Governance Lifecycle that you
need to manage and govern your Cloud. Remember, Cloud computing is the enabler, while Cloud management
and governance is the secret sauce!
For more information please contact:
Sandra G. Callahan