Governance guide for complex enterprises: Initial corporate policy behind the governance strategy

The following corporate policy defines the initial governance position that's the starting point for this guide. This article defines early-stage risks, initial policy statements, and early processes to enforce policy statements.


The corporate policy isn't a technical document, but it drives many technical decisions. The governance MVP described in the overview derives from this policy. Before you implement a governance MVP, your organization should develop a corporate policy based on your objectives and business risks.

Cloud governance team

The CIO recently held a meeting with the IT governance team to understand the history of the personal data and mission-critical policies and to review the effect of changing those policies. The CIO discussed the overall potential of the cloud for IT and the company.

After the meeting, two members of the IT governance team requested permission to research and support the cloud planning efforts. The director of IT governance recognized an opportunity to limit shadow IT and the need for governance. They supported this idea. So, the cloud governance team was born. Over the next several months, they inherit the cleanup of many mistakes made during exploration in the cloud from a governance perspective. This duty earns them the moniker of cloud custodians. In later iterations, this guide shows how their roles change over time.


The initial objective is to establish a foundation for governance agility. With an effective governance MVP, the governance team can stay ahead of cloud adoption and implement guardrails as the adoption plan changes.

Business risks

The company is at an early stage of cloud adoption where they're experimenting and building proofs of concept. Risks are relatively low, but future risks are likely to have a significant effect. There's not much definition around the final state of the technical solutions that are deployed to the cloud. The cloud readiness of IT employees is low. A foundation for cloud adoption helps the team safely learn and grow.

Future-proofing: There's a risk of not empowering growth but also a risk of not providing the right protections against future risks.

The board's vision for corporate and technical growth needs an agile yet robust governance approach. Failure to implement such a strategy slows technical growth, which potentially risks the current and future market share growth. The effect of such a business risk is unquestionably significant. But the role IT plays in those potential future states is unknown, which makes the risk that's associated with current IT efforts relatively high. Until more concrete plans are aligned, the business has a high tolerance for risk.

This business risk can be broken down tactically into several technical risks:

  • Well-intended corporate policies can slow transformation efforts or break critical business processes if they're not considered within a structured approval flow.
  • The application of governance to deployed assets can be difficult and costly.
  • Governance might not be properly applied across an application or workload, which creates gaps in security.
  • With many teams working in the cloud, there's a risk of inconsistency.
  • Costs might not properly align to business units, teams, or other budgetary management units.
  • The use of multiple identities to manage deployments can lead to security issues.
  • Despite current policies, there's a risk that protected data can be mistakenly deployed to the cloud.

Tolerance indicators

The current risk tolerance is high and the appetite for investing in cloud governance is low. So, the tolerance indicators act as an early warning system to trigger the investment of time and energy. If the following indicators are observed, it's wise to advance the governance strategy.

  • Cost Management discipline: Scale of deployment exceeds 1,000 assets to the cloud, or monthly spending exceeds $10,000 USD per month.
  • Identity Baseline discipline: Inclusion of applications with legacy or third-party multifactor authentication requirements.
  • Security Baseline discipline: Inclusion of protected data in defined cloud adoption plans.
  • Resource Consistency discipline: Inclusion of any mission-critical applications in defined cloud adoption plans.

Policy statements

The following policy statements establish the necessary requirements to remediate the defined risks. These policies define the functional requirements for the governance MVP. Each policy statement is represented in the implementation of the governance MVP.

Cost Management:

  • For tracking purposes, you must assign assets to an application owner within one of the core business functions.
  • When cost concerns arise, other governance requirements are established with the finance team.

Security Baseline:

  • An asset that's deployed to the cloud must have an approved data classification.
  • No assets identified with a protected level of data can be deployed to the cloud until sufficient requirements for security and governance are approved and implemented.
  • Until the minimum network security requirements can be validated and governed, cloud environments are seen as perimeter networks and should meet similar connection requirements to other datacenters or internal networks.

Resource Consistency:

  • No mission-critical workloads are deployed at this stage, so there are no SLA, performance, or BCDR requirements to govern.
  • When mission-critical workloads are deployed, other governance requirements are established with IT operations.

Identity Baseline:

  • Assets that are deployed to the cloud are controlled by using identities and roles that are approved by current governance policies.
  • All groups in the on-premises Active Directory infrastructure that have elevated privileges should be mapped to an approved RBAC role.

Deployment Acceleration:

  • Assets must be grouped and tagged according to defined grouping and tagging strategies.
  • Assets must use an approved deployment model.
  • After a governance foundation is established for a cloud provider, deployment tooling must be compatible with the tools that the governance team defines.


No budget is allocated for ongoing monitoring and enforcement of these governance policies. So, the cloud governance team has improvised ways to monitor adherence to policy statements.

  • Education: The cloud governance team invests time to educate the cloud adoption teams on the governance guides that support these policies.
  • Deployment reviews: Before you deploy an asset, the cloud governance team reviews the governance guide with the cloud adoption teams.

Next steps

This corporate policy prepares the cloud governance team to implement the governance MVP as the foundation for adoption. The next step is to implement this MVP.

Best practices explained