Governance in the cloud

One of the IT department’s less official roles has been as a gatekeeper to an organisations infrastructure. The cost and time to market constraints that are sometimes imposed by internal IT can lead to applications being cancelled and even to not being proposed in the first place. By allowing the business to side-step the IT department though, cloud computing enables departments and individuals within organisations to get new applications up and running quickly and with investment largely focussed on development.

Where internal IT is imposing unreasonable delays and costs, this is going to be great for businesses. There are some major caveats to add though. In particular, a lot of the governance and ‘red-tape’ that internal IT seems to impose is actually about protecting an organisation’s data. By checking that things like backup and recovery have been considered and planned for, IT ensures that an organisation’s data, reputation and ultimately it’s business are protected. Where those checks are bypassed, it is fair to expect that the ‘boring’ aspects of application development and deployment will not get the attention the really require. The litany of data loss horror stories never seems to abate. Cloud computing service providers may provide the tools to implement effective backups, but that won’t guarantee that developers will use them.

To be clear, the threat here is not that organisations will use cloud computing, which will be a great addition to the IT tool-box. The threat is the same as that posed by applications running on servers sitting under people’s desks; It is the same thread as that posed by data that leaks on portable drives; The threat is that broken governance can lead to no governance and that organisations will be compromised as a result.

The solution is for internal IT and their management to build cloud computing into their governance and release management models. In much the same way as for suppliers of physical infrastructure, organisations need to choose their suppliers and build standards for development and deployment . By doing this, they can ensure that all applications, whether hosted internally or in the cloud are checked to ensure compliance with data protection, availability and security requirements.

There’s something else to say here though and that’s to remember quite how much due diligence vendors of physical infrastructure are put through before purchase decisions are made. Ultimately, even an SLA isn’t really enough unless you are convinced that the organisation to which you are trusting your data is able to follow through on their promises. I wonder what the cloud services RFP equivalent of a double disk pull will be?


(Re)fragmenting the IT department

When I started in IT in the mid-1990s, many medium and even large organisations had highly fragmented IT delivery functions. At Ernst and Young in 1994, I worked in a small team delivering IT to the Yorkshire office in the North of England. At the start of the year, we were largely autonomous and able to deliver new services and applications quickly and with only local change control. By the end of the year, we were (along with everyone else in E&Y IT) being outsourced to Sema and amalgamated into a single IT department.

Likewise at the BBC, I started out in the IT team of the ‘Youth and Entertainment Features’ department in BBC Manchester (one of three support and delivery organisations in one building!). By the time I left Auntie in 2004, I had been through three sets of organisational consolidation before finally being outsourced (again!) to Siemens.

The last twenty years has seen a steady process of consolidation of IT delivery in organisations. The relentless trend has been for the centralisation of development, infrastructure delivery and support into the corporate IT department. Outside of business units with very high margins and esoteric IT needs, it has become increasingly difficult for business units to develop and deploy applications without the cooperation of the corporate IT department.

I wonder though, whether cloud service providers open up the risk (or is it an opportunity?) that business units will once again be able to develop, deploy and support new applications, independently of the corporate IT department. Where once, deploying an un-authorised app. would mean running servers under desks or stacking Lacie drives off the back of a desktop to create a private file server; business units can now employ any one of thousands of boutique consultancies or developers to knock up the apps of their dreams using the cloud to obviate the need to involve corporate IT.

Of course, corporate security and finance policy may well stand in the way but history suggests that these won’t be too great an impediment. Once more than a few apps have been deployed, we might see the re-growth of the parallel support organisations that the corporate IT department thought they’d seen the back of (or more likely – absorbed) over the last twenty years.

If that happens, there are all sorts of consequences, many of them nasty. Business units and even businesses as a whole might be willing to pay them to gain agility and bypass what many see (if unfairly) as bureaucratic impediments to business thrown up by corporate IT.

The answer for corporate IT is to make sure that it is nearly or as easy to develop and deploy new applications through them as it is through the cloud suppliers. Maybe that means using the public cloud as a support for internal systems or maybe it means developing private clouds (though some are already pouring cold water on that idea). Either way (or some other way…), it’s an interesting time to be in IT.