According to opengroup.org, the goal of governance is to make sure that all cloud-related costs are in line with business objectives and focus on promoting data integrity, fostering innovation, and minimizing the risk of data loss or regulatory non-compliance. This is accomplished by defining policies and principles to establish guidelines concerning the level of investment and control related to an organization’s cloud presence. 

Reasons to Implement Cloud Governance
The Cloud Leadership Forum describes these five reasons that governance is required in a company’s cloud environment.

1. Establishing a cloud-focused IT operating model that takes into account the cost, speed, and flexibility of cloud computing. 
2. Allowing decisions regarding the cloud environment to be made without friction between the multiple parties involved. 
3. Integrating the company’s existing IT governance policies and processes.  
4. Balancing the benefits afforded by the cloud with the potential risks and level of financial investment. 
5. Proactively anticipate and prevent unauthorized cloud activities such as the creation of Shadow Clouds.

 Specific Issues With IaaS Implementations
IaaS is often implemented using a ‘lift and shift’ methodology. In this model, applications are moved from their existing infrastructure to a set of comparable servers in the cloud. This introduces technical risks as the current architecture may not be a good fit for the cloud, and interoperability with remaining components of the IT infrastructure may be impacted. Lack of adequate controls can result in a company’s data being put at risk.

Robust policies incorporated into a cloud governance framework can help alleviate these issues by insisting on a stringent data security strategy that is line with the overall organizational mandate. Instituting boundaries that clearly define the responsibilities of the provider and the customer are critical when problems arise with the cloud infrastructure.

Compliance with regulations such as HIPPA or GDPR are primarily the responsibility of the customer. The cloud provider needs to be responsible for storing the customer’s data in a way that compliance with privacy regulations can be demonstrated. 

Security Risks Associated with IaaS
While security initiatives should be under the purview of the cloud provider, companies should not neglect this critical aspect of their infrastructure. According to zdnet.com, one of the most prevalent security issues affecting IaaS is that of rogue users. The focus of IaaS is often the management of virtual machines that can be hijacked by employees for unauthorized purposes.

The consolidation of an enterprise’s data into large files by the cloud provider to enable more efficient storage and drive down costs can be dangerous. A breach of one of these data sets can put a large volume of a company’s data at risk. Malware can potentially spread throughout a cloud data center, affecting multiple clients.

Companies considering an IaaS cloud presence need to carefully investigate the security that your provider intends to offer. Data encryption is vitally important, and the protection of encryption keys should not be left totally under the control of the provider. 

Governance and security are two facets of the cloud computing paradigm that need to be understood and applied in a methodical manner. They are key components in deploying an IaaS cloud implementation that provides the desired results while minimizing risks to an enterprise’s valuable data.