Policy and Governance can be thought of as a set of statements of intent, with associated assurances of adherence.
A “Cloud Policy” is a clear statement of intent, describing the execution of specific cloud-related activities in accordance with a standard model designed to deliver some improvement of business value.
“Cloud Governance” is a set of processes, tooling or other guardrail solution that aims to control the activity as described by the Cloud Policy to promote the desired behaviour and outcomes.
Combining good Policy and Governance provides us with a mechanism to orchestrate and direct our Cloud FinOps Activity.
It’s possible to imagine a world in which good things happen naturally, without any attention or control being applied to them. In most business situations though, the right things will only happen if people are directed to do them, the actions and their outcomes are monitored and there are some (positive or negative) consequences arising from their actions.
We often talk about a ‘FinOps Culture’, which we see as a set of attitudes and behaviours oriented to driving business value from cloud technology, and we recognize that transitioning to this from a data centre culture is one of the key challenges of FinOps. Policy and Governance is how we establish and sustain a FinOps culture. In fact, it is the way in which all culture is established and sustained. Think of any organization with a recognizable ‘culture’ and you will see an effective Policy and Governance framework
So the simple answer to why Policy and Governance frameworks are important is that organizations cannot sustainably deliver business value from cloud without them.
Cloud policy and Governance are key components of successful Cloud FinOps. They work to align activities within Cloud to the business overall goals and strategies, control the deployment and usage of Cloud resources in order to maximise ROI. We are able to ensure our cloud costs are predictable and manageable, and we can use Cloud Policy & Governance to support the consistent adoption of best practices across the organisation, and support defence-in-depth against known threats and
In the early stages of cloud adoption, everything is new and everyone is a pioneer. Bit by bit the organization learns how to make the best use of cloud technology and harness it to achieve its goals. Policy & Governance is the primary mechanism for harnessing the power of cloud.
| Maturity | Description | Focus |
|---|---|---|
| Crawl | Cloud Policy & Governance exists as part of overall business policy. Policies aim to control most significant risks to business value. | Basic usage & rate optimization, etc as they apply to individual engineering teams and products. |
| Walk | Cloud Policy & Governance measures are broadened and standardized. Best practices are now being distributed and adopted across the business. | Cross-functional collaboration. Integration with existing organizational policies and standards. |
| Run | Cloud Policy & Governance is now closely integrated with overall business strategy. | All levels of business now operate in a way that is aligned with the organization’s strategy and goals. |
written for each persona responsible for the functional activity and processes encapsulated by his Capability. each one should be associated generally to one of the FinOps Phases (Inform, Optimize, Operate). for example:
As a [FinOps Persona], I will [functional activity] so that [desired outcome] is achieved.
| Measures of CP&G | Crawl | Walk | Run |
|---|---|---|---|
| Scope of CP&G | Across Engineering teams | Cross-functional, across Business, Technical & Finance teams | Across the organization, linking CP&G to strategic goals |
| Creating & Updating | Manually, ad-hoc, largely reactive policy creation | Regular review cadence, proactive FinOps policies | Ongoing automated policy compliance review, with trending |
| Documenting & Communicating | Static, manually distributed content | KMS / training integrated solutions | Integration with new architectural concepts to ensure currency |
| Monitoring for Compliance | Manual analysis & reporting | Vendor-provided automated analytics (eg. AWS Config) | Multi-cloud/enriched normalised insights & automation solution |
The 5 FACES of Good Cloud Policy & Governance:
| Headline | Description |
|---|---|
| FOCUSED | on achieving the objectives we seek |
| ALIGNED | with the organisations goals, strategy and principles |
| CLEAR | simply stated and easy for everyone to understand |
| EFFICIENT | low comparative cost of implementation vs benefit |
| SUPPORTED | by the authority required in order to enforce it |
Governance implements Policy through:
If a policy is poorly conceived or expressed, of dubious authority, too broad or general to be useful in practice, or imposes a cost on the organization that is out of proportion to its benefit, it is a bad policy.
Some examples of good policy statements might be:
Video
The Pearson FinOps team joined us to discuss the journey from crawl to run on processing the AWS Bill. They covered our journey from spreadsheets to Datalake and the intermediate steps we hit along away to reduce our bill processing time and some of the hurdles we crossed along the way.
Video
This session, sponsored by VMware (CloudHealth), covered the types of policies that can be created, motivational tactics for enforcing governance, and how to progress from governance alerting to governance automation.
Video
The answer to this FinOps problem lies somewhere at the junction of these solutions and offers trade offs between time consuming builds, maintenance costs, and core competencies of the business.
Guide
Dave Van Hoven from HERE Technologies spoke about Green (Allowed) Zone/Red (Restricted) Zone approach to buying Reserved Instances (RIs) centrally — and distributing RIs to product teams across a massive estate of over 10 million unique instances annually.
Get involved and contribute to the community by sharing your real world experiences related to this Capability in the form of a story or providing a playbook for how you have implemented best practices in your organization. Your real world experiences can be provided in the context of:
Join the conversation about this Capability in Slack . You can submit stories, how-tos and suggest improvements using one of the options for contributing here.
