People & Purpose

Governance and compliance in the cloud – a mutual capability

Governance and compliance in the cloud – a mutual capability

Steve Mccormick

Steve Mccormick

Chief Architect
ARQ Group

Governance and compliance in the cloud – a mutual capability

In this blog we’ll explain the evolution of public cloud and why governance and compliance are crucial to your organisation’s cloud system.

The promise of public cloud was resilience, agility and business transformation – a tempting trinity. Everyone tried a little, often quietly and in isolation. Then there was a sudden explosion of public cloud use commercially as it was quick, easy and required no commitments. However, this led to many unexpected challenges when organisations established their public cloud environment.

Who would have thought that in less than 10 years that tempting promise had created a new type of technology debt…

The lack of education and awareness on public cloud left many organisations at the time with cloud sprawl, due to the absence of governance and strategy. In addition, the agility and democratisation of technology consumption led to weakened security postures, duplication of capability and the spawning of multiple points of truth as anyone could spin up a capability. Business transformation at its worst became a constant stream of directional changes and failures – fast or otherwise fail.

None of these challenges are industry, organisational size, or organisational model specific. They apply to cloud native businesses, just as they do 100-year-old traditional global service industries. Regardless of where a business came from or how it got to the cloud, the adoption of cloud governance and compliance is a mutual capability that must be sustainable.

But what is cloud governance and compliance?

Cloud governance is a set of rules and polices which guide how end users make use of cloud services. These policies enhance data security, minimize security risks, control costs and enable the smooth operation of cloud systems. Cloud governance is essential for all organizations with cloud systems, as it provides the scaffolding and frameworks to enable scale and derive ongoing success. Cloud governance also encompasses the activities of continuously monitoring and auditing the rules, policies and processes that control a business consumption of cloud resources. Governance should be part of the way you do cloud, not inspected into cloud.

So, what is cloud compliance if monitoring and auditing is already covered? Cloud compliance is ensuring that operation and use of data and applications in the cloud are guided by applicable laws, industry standards and regulations. Before organizations move data and applications into the cloud, they should consider what standards, laws and regulations need to be complied with. Cloud compliance can look very different in each industry, so we recommend all organizations allow sufficient time when setting up their cloud system to avoid costly mistakes for non-compliance.

There are a few key things to keep in mind when it comes to cloud governance and compliance:

  1. Make sure you have a clear understanding of the regulations that apply to your data.
  2. Put together a governance plan that outlines how you will ensure compliance with these regulations, as you build, not as an afterthought.
  3. Automate the governance of your cloud environment regularly to ensure that it remains compliant.
  4. Have a process in place for responding to any compliance issues that may arise and you have tested those processes.

By following these tips, you can make sure that your transition to the cloud is a smooth and compliant one.

In this blog, we will talk to four areas we feel are critical to the sustainable capability of cloud governance and compliance:

Financial Operations (FinOps):

FinOps is an evolving cloud financial management discipline. At its core is a cultural practice that spans cross functional teams in engineering, finance, product development and the business. It is a way for everyone to get maximum business value through team collaboration, ownership for spend in a predicable controlled manner.

Predictability is a key element of a successful cloud environment which involves more than reporting on spend or allocating costs. FinOps has a heavy focus on continual improvement, accurate forecasting and empowering teams to make the right investment decisions. Sometimes that decision is to reduce spend, other times its to increase investment but in both cases FinOps allows for a data driven decision.

Through focusing on FinOps when establishing your cloud environment, you can ensure your organization is spending each dollar in the most effective manner and avoid cloud sprawl and associated sticker shock. The approach should be iterative, starting small and growing in scale and scope as the complexity of cloud adoption warrants a more mature capability.

FinOps is a supporting capability within the framework of cloud governance and compliance ideally a centralised capability its key role in governance and compliance is the timely and accurate provision of data points for the organisation.

Security Operations (SecOps):

Another important aspect of cloud compliance is SecOps. SecOps involves the planning, implementation, and monitoring of security measures to protect data and systems. This drives the focus on reducing the time attackers have access to resources by detecting, responding to, and helping to recover from active attacks. This ability to rapidly respond and recover can reduce the ROI for attackers and hence the risk of attack as each time they are detected and evicted the cost to attack goes up. SecOps is most effective when organisation accept that it is a “when” not “if” world that we all operate in.

A common misconception is that security operations is management of technical platforms. SecOps is highly technical, but crucially it’s a discipline that needs to be instilled in people. Commodity attacks are generally fully automated, in the main can be addressed by tooling and are often there to disguise the actions of the live human attack operators. This is where a focus on empowerment of all people in your teams, using tooling to simplify their days and allow their skill, insight and resourcefulness to get ahead of the human attackers.

To bring this into the context of governance and compliance, SecOps with its ever-changing external challenges is a key driver for the iteration of policies, standards, controls and ways of work that help evolve cloud environment use. Whilst more active in the front line of operations SecOps is also a key provider of data points to the wider teams. Collaboration across teams is the only way to maintain a high security posture – the “lone wolf” security approach does not work.  


DevOps means different things to different people and organisations. A major cloud providers definition is “the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes.”

Speed is not the only advantage of adoption of DevOps. In the context of governance and compliance the real benefit, if implemented well, is the increased rigour and quality that results from the adoption of these practices. Infrastructure as code, CI/CD and automated testing are just three of the guardrails that a DevOps culture uses to support embedded governance and compliance.

This is where the sustainability of cloud governance and compliance really hits the road. If the policies and standards can only be enforced and monitored manually then the cloud paradigm of agility and dynamism is lost. Try this over multiple public clouds and the problem will grow exponentially and become a blocker.

Dealing with this challenge means adopting DevOps holistically in a structured programmatic manner with comprehensive monitoring, testing, feedback mechanisms and programmatic remediation. This is not the place for a handful of scripts built by the latest developer, this is where a cohesive integrated tooling capability leads to success.


One of the key approaches used by the major cloud vendors is to iterate the development of their service offers in line with demands and requests of the customer base. By regularly updating and enhancing their offerings, or by providing new features that keep users coming back, cloud providers can keep their customers happy and prolong the life of their products or services.

This can create a challenge for businesses consuming cloud services. The pace of innovation and service evolution from cloud vendors is hard to keep up with. This is especially true when organisation have taken their first steps of cloud adoption and are used to a slower pace of change measured more in years than in weeks.

You could choose to ignore the innovation but this comes at a cost – often missing out on operational improvements, feature and function enhancements and significant cost savings. AWS has 8 different types of S3 storage that have evolved from the original standard S3 first released. Selecting and moving to the right tier can shift the price point from $0.023 per GB to $0.00099 per GB. Operation of NAT capability became simpler with the introduction of managed NAT services, just as the introduction of Amazon EKS removed the complexity of management of Kubernetes clusters.

Evergreening your cloud environment and keeping pace with the innovation is a smart strategy for businesses that want to get the most out of their investment in the cloud.

In this short post we’ve highlighted that the agility and flexibility of cloud creates its strength and its challenges. All cloud environments have a shared responsibility model, and in all cases governance and compliance sit with the consumer. Cloud governance and cloud compliance are critical aspects of the transition to the cloud, its ongoing adoption and value.  By putting in place a cloud governance framework and compliance program, you can ensure that your organisations cloud system is safe, secure, and compliant.

Share this on Facebook
Tweet this
Share this on Linkedin

More to explore