AWS Cloud Enterprise Strategy Blog

Increase Business Value from the Cloud with Effective Cloud Governance

Highway with Guardrails

We often advise AWS customers embarking on digital transformations to consider that cloud migration is part of digital transformation, and digital transformation must be driven by business outcomes. The effectiveness of your governance programs determines the success of your cloud migration and digital transformation. There will be an end to the cloud migration portion of your digital transformation. But your digital transformation is never over if you’re doing it right. With effective governance, you should always strive to make things more resilient, faster, less expensive, more efficient, and more secure.

AWS customers who have led successful cloud adoption programs tell us that effective cloud governance is essential to maximize benefits from their cloud investments while reducing potential risks. Effective cloud governance nurtures activities that increase revenue, expand markets, and reduce risk while enabling operational efficiencies. Some companies have not spent time identifying a cloud governance strategy during the initial stages of cloud adoption. In time, the leaders of these companies realize they are not seeing the promised benefits of cloud adoption—speed, efficiency, agility, and innovation with fewer resources and optimized costs.

In this blog, we’ll cover the challenges around implementing cloud governance, recommendations on implementing and maintaining an effective cloud governance program, and customer success stories.

Cloud governance is a set of rules, practices, and oversight that ensures cloud use is accountable to your business objectives. Cloud governance spans multiple disciplines, including security, finance, people, processes, and operations, that overlap to complete a cloud governance strategy. In addition to the security and operational topics we discuss in this post, we recommend that you review the AWS Cloud Financial Management Guide and the people perspective of the AWS Cloud Adoption Framework (CAF) to complete your comprehensive cloud governance strategy.

Top Challenges for Cloud Governance

“Governance must balance two objectives: it must control, and at the same time, it must enable,” says Mark Schwartz, Enterprise Strategist at Amazon Web Services, Author, and Former CIO of US Citizenship and Immigration Services.

Experienced executives do not dispute the value of good governance over their cloud programs. Most AWS customers we talk to have made at least partial attempts to establish governance over their cloud efforts. However, companies routinely encounter three primary challenges:

Striking the right balance: Selecting the appropriate mix of controls that will maintain the pace of innovation while protecting the company is hard. Innovative, cloud-first teams demand minimally constrained and decentralized cloud resource provisioning to accelerate innovation. Onerous workflows that require multiple approvals to request, provision, and deploy infrastructure slow down the same teams that you want to empower.

Keeping pace in a fast-changing regulatory environment: Organizations that operate across regulatory boundaries face fast-changing environments with regional variations and stringent reporting requirements. Quickly and decisively adapting the rules of your compliance mechanisms in such environments can be challenging.

Meeting agility demands to support business transitions: We see organizations often expand into new market segments through mergers and acquisitions. Some organizations improve performance in existing market segments through contractions and reorganizations. These business transitions frequently drive changes in digital strategy and require agile cloud governance practices that can adapt to these changes. Absorbing and integrating the results of organizational changes into cloud governance practices can be demanding.

We regularly meet with AWS customers resolving these challenges with intentional measures designed to modernize their governance programs. In the next section, we discuss three of the most impactful steps we recommend you consider for your organization.

Steps to Effective Cloud Governance

Iterate toward your ideal state: Identifying the right balance requires experience and learning. Amazon CEO Andy Jassy said it best: “There is no compression algorithm for experience.” Companies with industry-leading governance practices allow themselves to learn with small steps during the early stages of their cloud adoptions. They avoid trying to build a perfect set of governance controls and onerous workflows before they start their journeys. Consider starting with the most important governance priorities and iteratively test and refine your governance controls over multiple phases. For example, you may want to start by limiting your cloud use to certain geographies and use cases.

Cloud governance has a broad impact on your environment. We notice that governance practitioners trusted by their organizations test changes prior to implementation. Testing changes to cloud governance controls builds confidence within your internal teams. These trusted governance practitioners also recommend rolling out changes to cloud governance controls in phases. This will allow you to fine-tune controls for your environment and minimize adverse impacts on operational efficiency. The iterative approach allows you to build the organizational memory and expertise required to modernize your IT governance programs.

As you seek to iteratively improve your cloud governance program, visibility into the status of your cloud resources and consumption is fundamental for decision-making. Obtaining comprehensive visibility can be challenging as resources in the cloud can be ephemeral (provisioned/deprovisioned on demand) and elastic (scaled up and down based on demand). We see AWS customers gain more visibility into their cloud environments when they use governance services and products that are cloud native. Cloud-native services are built using other cloud services and are designed to deal with ephemeral and elastic cloud resources. This improved visibility allows these AWS customers to confidently select controls that reduce onerous workflows for their innovators.

AWS customers find that AWS Audit Manager (a managed service that automates the collection of evidence, monitors your compliance posture, and streamlines collaboration of audits across your teams) is beneficial in tracking the progress toward and maintaining your target state.

Accelerate governance programs with policy as code: Unlock your organization’s potential by freeing employees from manual controls and allowing them to focus on business objectives. We often use the phrase, “The only way to govern the cloud is from the cloud.” Effective cloud governance programs use code-based cloud management methods to enforce organizational policy as code when needed to customize governance controls for their respective environments. Companies with robust cloud governance programs rely on managed controls provided by a central cloud-native service and reinforce the managed controls with custom controls as code. With this approach, you can rapidly deploy preventive, proactive, detective, and responsive controls, which helps scale your governance controls across a fast-changing regulatory environment with minimal cost. With policy as code, you have the flexibility to create additional versions of controls with some variations yet maintain an overall standard. This flexibility allows you to handle distributed teams across business units and geographies and minimize potential drift from operational standards and security baselines.

Most AWS customers primarily rely on AWS Organizations and AWS Control Tower as their central service to manage and govern their AWS environments, leveraging other AWS services’ governance capabilities when appropriate. AWS Organizations provides underlying governance capabilities such as centralized access for AWS services, preventive controls, policy enforcement, resource sharing, and billing consolidation. AWS Control Tower, built on AWS Organizations, orchestrates other AWS services and provides managed controls for companies that want to leverage AWS-recommended practices for the security and orchestration of their AWS environments.

Behavox, a fintech service provider, helps enterprises protect their organizations and employees by monitoring company communications data. Needing a way to centralize its cloud operations as its business grew, the company deployed a governance solution that enhanced its security posture and delivered fast speed to market, creating a foundation to add new governance policies and controls as it grows.

Adapt and build with available resources: Cloud services, as well as business applications leveraging cloud services, evolve faster than traditional on-premises applications. Your cloud governance requirements can also vary based on your business environment, such as ongoing M&A. Many customers are drawn to the idea of a universal, cross-cloud governance solution. But in practice, AWS customers who have built customized controls on cloud-native services tend to have more effective cloud governance. This seems obvious when we consider that unified cloud governance tools must support hundreds of cloud services that are evolving at a fast pace.

Theodore Roosevelt’s famous quote, “Do what you can, with what you have, where you are,” seems to fit this situation. Companies that have established effective cloud governance identify a core service that provides the most coverage for their cloud governance needs. They then build additional capabilities important to their organization using a mix of cloud-native services and partner products.

Warner Bros. Discovery (WBD) minimized potential drift from operational standards and security baselines when going through M&A. Its case study describes reducing the time to create new environments (AWS accounts) from two months to two days with centralized deployment built on cloud-native services. WBD provides television, streaming, and gaming media on a global scale. With several M&A starting in 2018, they wanted an automated and centralized process to create new accounts and apply security policies. WBD designed a centralized account creation process to handle thousands of new accounts. As a result of its enhanced cloud governance capabilities, the company has improved deployment times, reduced time to market, and reduced costs.

Whatever your geography or industry, effective cloud governance is essential to ensure that your organization takes advantage of the opportunities presented by the cloud to achieve your desired business outcomes. The AWS customers we talk to indicate that successful cloud adoption programs are based on reducing friction for innovation through secure, efficient, and yet flexible cloud provisioning models. Many customers choose a mix of cloud-native solutions that offer managed controls and support code-based customizations. This approach allows them to iteratively enhance the security, flexibility, and efficiency of their cloud governance programs so that they can navigate the dynamic business and regulatory landscape. – Balaji & Clarke


GRC Sessions at re:Inforce 2023

Governance in the Cloud and in the Digital Age: Part One

Governance in the Cloud and in the Digital Age: Part Two

Organizing Your AWS Environment Using Multiple Accounts

AWS Control Tower Controls Reference Guide

Balaji Palanisamy

Balaji Palanisamy

Balaji joined the AWS team 8 years ago to support early cloud adopters across the globe with governance and security challenges. Since then, he has guided many large enterprises gain a secure start in the cloud with practical governance, security, and risk management solutions. He is passionate about learning and raising the bar for how companies benefit from the cloud by enabling users, partners, and customers.

Clarke Rodgers

Clarke Rodgers

Clarke is an Enterprise Security Strategist with Amazon Web Services. In this role, Clarke works with enterprise security, risk, and compliance focused executives on how AWS can strengthen their security posture and to help understand the security capabilities/possibilities of the cloud. Prior to AWS, Clarke was a CISO for the North American operations of a multinational insurance/reinsurance company where he took a strategic division all-in to AWS for security reasons, to include achieving SOC2/Type2 attestation. Clarke's 20+ year career in IT operations and security focused roles helps him align with the needs of today's enterprise customers during their cloud transformation journeys. Clarke attended the University of North Carolina and served as a United States Marine.