Stefan Ruckstuhl from Swisscom and Alexander Hofmann from Laux Lawyers have discussed how you can start optimising cloud projects in your company right now to get the most out of them. Read on for the main principles and step-by-step instructions.
Text: Tanja Dujic, Pictures: Swisscom
13 December 2023
Most likely, 2023 will be remembered as the year in which companies had to deal with an unprecedented amount of compliance issues. At the same time, it’s become obvious that we are only at the beginning of this journey.
That’s why now is the ideal time to establish cloud governance. Companies can only gain, especially in terms of security and control, if they give cloud infrastructures some thought at an early stage and develop a governance framework.
In a nutshell, governance involves establishing a process for controlling data. The aim of this process is to make companies more capable and dynamic. Well-established governance frameworks enable innovation rather than preventing it. When developed through internal collaboration, governance can speed up cloud projects.
Stefan Ruckstuhl from Swisscom and Alexander Hofmann from Laux Lawyers discussed how this works in practice in an expert talk. We have summarised the main principles for you here and provided step-by-step instructions.
Everyone together: the in-house legal team, the compliance and risk management departments and also the technology owners and business managers – this internal control system forms the environment in which dialogue takes place. This is already the first principle of establishing cloud governance.
"Well-organised
governance enables innovation. It does not prevent it".
Stefan Ruckstuhl, Head of Product Management, Cloud & Datacenter – Swisscom
The five main principles:
Once you have brought all relevant parties together, the first step is to establish a framework of key stakeholders. Collect all requirements and make sure that legal necessities are closely matched with customer demands and technical possibilities.
The framework should ensure a lasting balance between governance, innovation and technology, enabling companies to use innovations in a sensible and risk-compliant way for their further development.
For larger organisations, it’s worth establishing cloud competence centres to serve as the lead on cloud projects. And to make sure that everyone sticks with the task at hand.
But what is the best way for companies to go about this and where should they start?
Businesses can best respond to external demands when they first define what they want to get out of the cloud – in other words, their own control objectives for the cloud journey.
Another important step then happens automatically: a shift away from an opportunistic approach to a cloud-first strategy, as the companies respond proactively rather than reactively to external conditions. They act intrinsically.
When setting objectives, companies might ask themselves what outcome they are looking for, what control objective they wish to achieve. The answers may vary greatly, from zero access and increased security to compliance with the law.
One question that companies can ask themselves as part of this is do they have a simple application (i.e. a use case) that does not use critical data. In this case, it does not have to meet the same requirements as a complex case with sensitive data. Stricter conditions apply to some use cases than to others.
This differentiation is carried out once for the use cases and in the same step for the obstacles. One obstacle might be that customer data from the application must be stored in Switzerland.
Always keep this question in mind: how do I get to the cloud? In all cases, therefore, obstacles should be minimised as much as possible. Then the risk categorisation can take place, ultimately leading to a decision for or against cloud migration for the use cases in question and their obstacles.
In the fourth step, the experts recommend conducting a pilot run-through. Based on this test case, you can decide if the risk of going to the cloud is an acceptable one.
Considering aspects such as whether the risks are legal or technical will help you to make an informed decision. The run-through should allow you to form the clearest possible opinion about the test case.
If you decide against a cloud migration in this use case, at least you will be further on in your cloud strategy, as you will know what type of application is unsuitable and poses too many obstacles.
Doing nothing for fear of getting something wrong or breaking rules is not an option.
When developing a cloud governance framework, companies have to inform themselves in detail about compliance issues, adapt them to their own situation, set up new processes and implement innovations dynamically.
Use the following checklist to see if your cloud governance process is fit for purpose:
Developing a governance framework is also a process of establishing a common position: how do we get to the cloud, what do we do in it and what does not belong there? Governance serves as much more than just a legal framework that determines what can and cannot be done – it also defines the guardrails for how a company deals with challenges at the project level, such as skyrocketing costs. Governance is also useful for keeping budgets and schedules under control.
To achieve this, it is worth using governance to develop a process that has the potential to facilitate the migration of a majority of SaaS solutions to the cloud. This comes about when companies take the time and provide the resources needed to correctly establish and define the process.
Having a workable cloud governance framework as an aid means that innovation-related decisions can be made quickly. This is crucial in increasingly dynamic markets. Future success depends more than ever on speed and adaptability.
Companies should keep themselves updated on the latest developments and best practices in cloud governance. The cloud landscape is constantly evolving, and it’s important to stay informed to avoid security loopholes and ensure the most efficient use of the cloud.
Cloud governance is not a project with a clearly defined end, but an ongoing journey.
Clear regulation, permanent monitoring, collaboration and continuous training are fundamental principles that can help companies navigate cloud governance. By following these, businesses can harness the full potential of the cloud while ensuring security and compliance.
If you have questions about how best to establish your cloud governance framework, please feel free to contact our experts.