Definition
Policy and Governance can be thought of as a set of statements of intent, with associated assurances of adherence.
A “Cloud Policy” is a clear statement of intent, describing the execution of specific cloud-related activities in accordance with a standard model designed to deliver some improvement of business value.
“Cloud Governance” is a set of processes, tooling or other guardrail solution that aims to control the activity as described by the Cloud Policy to promote the desired behaviour and outcomes.
Combining good Policy and Governance provides us with a mechanism to orchestrate and direct our Cloud FinOps Activity.
Maturity Assessment
WHERE ARE ORGANIZATIONS IN TERMS OF MATURITY
Crawl
34.4%Walk
51.4%Run
14.2%Organizations with cloud governance policies implemented across all their FinOps personas were in cohorts operating at Run maturity. These policies ranged from provisioning and allocation requirements to IAM role and SME ownership policies. Responses showed most organizations had adopted some formal governance policies, with the majority being in cohorts operating their cloud cost management practices at a FinOps Walk maturity
Take the State of FinOps 2024 SurveyIn the early stages of cloud adoption, everything is new and everyone is a pioneer. Bit by bit the organization learns how to make the best use of cloud technology and harness it to achieve its goals. Policy & Governance is the primary mechanism for harnessing the power of cloud.
| Maturity | Description | Focus |
|---|---|---|
| Crawl | Cloud Policy & Governance exists as part of overall business policy. Policies aim to control most significant risks to business value. | Basic usage & rate optimization, etc as they apply to individual engineering teams and products. |
| Walk | Cloud Policy & Governance measures are broadened and standardized. Best practices are now being distributed and adopted across the business. | Cross-functional collaboration. Integration with existing organizational policies and standards. |
| Run | Cloud Policy & Governance is now closely integrated with overall business strategy. | All levels of business now operate in a way that is aligned with the organization’s strategy and goals. |
Functional Activity
written for each persona responsible for the functional activity and processes encapsulated by his Capability. each one should be associated generally to one of the FinOps Phases (Inform, Optimize, Operate). for example:
As a [FinOps Persona], I will [functional activity] so that [desired outcome] is achieved.
Measure(s) of Success
| Measures of CP&G | Crawl | Walk | Run |
|---|---|---|---|
| Scope of CP&G | Across Engineering teams | Cross-functional, across Business, Technical & Finance teams | Across the organization, linking CP&G to strategic goals |
| Creating & Updating | Manually, ad-hoc, largely reactive policy creation | Regular review cadence, proactive FinOps policies | Ongoing automated policy compliance review, with trending |
| Documenting & Communicating | Static, manually distributed content | KMS / training integrated solutions | Integration with new architectural concepts to ensure currency |
| Monitoring for Compliance | Manual analysis & reporting | Vendor-provided automated analytics (eg. AWS Config) | Multi-cloud/enriched normalised insights & automation solution |
Best Practice:
The 5 FACES of Good Cloud Policy & Governance:
| Headline | Description |
|---|---|
| FOCUSED | on achieving the objectives we seek |
| ALIGNED | with the organisations goals, strategy and principles |
| CLEAR | simply stated and easy for everyone to understand |
| EFFICIENT | low comparative cost of implementation vs benefit |
| SUPPORTED | by the authority required in order to enforce it |
Inputs
Governance
Governance implements Policy through:
- Guidelines – that set out best practice for policy implementation and how it can be achieved. These are advisory, rather than mandatory
- Guardrails – formal processes and structures that define mandatory pathways for policy-compliant action, possibly with consequences for non-compliance
- Automation – processes that automate policy implementation and which therefore control how compliant actions are carried out.
Policy
If a policy is poorly conceived or expressed, of dubious authority, too broad or general to be useful in practice, or imposes a cost on the organization that is out of proportion to its benefit, it is a bad policy.
Some examples of good policy statements might be:
- “Our policy is to cover more than 80% of our optimised cloud usage with discounted pricing plans”
- “Our policy is to reduce wasted spend by decommissioning cloud resources that deliver no business value”
Cloud Provider Governance & Policy Resources
Cloud Providers Governance & Policy Tools
- AWS – AWS Control Tower, AWS Organizations, AWS License Manager, AWS Service Catalog, AWS OpsWorks
- Azure – Azure Management Groups, Azure Blueprints
- GCP – Google Cloud Console
