Cloud computing presents corporate CIOs with an opportunity to deliver bottom-line savings in overall operating costs. At least, that's what cloud solution vendors promise, and more than a few corporate customers have realized genuine savings. But many companies have struggled to achieve the same results.
Adopting any cloud solution requires a CIO to think seriously about whether his company has truly established "governance" over data. Data governance requires three key services: control, transparency and rules. Without any of these services in place and working effectively, a cloud solution will impose direct operating costs that can undercut, and even overwhelm, the pursued savings.
So what are the key services for data governance?
Control. CIOs have responsibility to control their company’s data assets. Uncontrolled data moves randomly, chaotically and often very quickly to locations that are completely unexpected and often undesirable. Today, many companies are struggling as mobile computing transforms how we think of “where” data may go.
Control requires more than a series of “thou shall not” policies that rely on good conduct. Control requires technology walls that keep data identifiable, in known locations and in the control of those who ensure data is safe, accessible and reliable.
Transparency. To achieve control, CIOs must collect and monitor ongoing performance data that documents the control technologies and ensures services are firing correctly, accurately and without deviation. This requires transparency, so the systems, devices and applications where protected data is present must be generating reports that are sufficiently detailed to prove the controls are working, and providing adequate evidence to allow investigation and remediation when the controls do not work.
Transparency is easier to accomplish, of course, when dealing with corporate employees whose jobs require cooperation. Suitable reporting is more difficult when the data custodian is a vendor, contractor or third party. But that must be achieved before a cloud solution is deemed a success.
Rules. Those operating IT systems and managing data assets understand that control and transparency cannot be achieved without having explicit rules in place. It must be clear which systems or devices are subject to the rules, the data to which the rules are applied, the conditions that trigger a rule and the reporting data that this enforcement generates.
There is an evolution still occurring, however, in the way rules are authored and maintained. Many data control rules under corporate governance have been informal and based on common sense. As a result, transparency and control of how data is used, or misused, within a business is less mature.
When moving toward the cloud, then, the CIO’s challenge is to retain the integrity of the control, transparency and rules that existed before the cloud solution was implemented. And therein lies the problem: Time and again, companies are preparing to move to the cloud before they have achieved effective data governance.
When moving toward the cloud, the CIO’s challenge is to retain integrity among the controls, transparency and rules that exist.
Here are five key steps to help set-up and execute your migration to the cloud:
1. Write rules. A CIO must drive into place a complete inventory of the rules by which data is to be governed. The rules must be functional and include mechanisms for performance measurement and data reporting. Only when these rules are written can one evaluate the impact a cloud-based solution.
2. Test reporting. A CIO must be assured that the reporting works. The reporting functions must be tested, and the CIO must be confident that the reports provide accurate documentation of how data is used, or misused, within the business.
3. Demonstrate transparency. Management is entitled to know what the reports contain. By using the reports to communicate with management, a CIO is creating transparency (and is also building the appetite for those reports to continue, whether or not a cloud solution is employed).
4. Educate the lawyers. Lawyers drafting and negotiating cloud service contracts need to understand what the company requires to maintain governance. This requires education prior to completing the deal.
5. Control the RFP. The CIO must be assured that the RFP adequately expresses the control required from the solution provider so that the vendors can properly document and price their services. T he contract needs to transfer to the vendor duties associated with enforcing the rules, capturing data and reporting the results.
Jeffrey Ritter is the founder of Waters Edge Consulting in Reston, Va. Write to him at [email protected].