Posted On June 20, 2019
My friend and co-practitioner Paula Paul gave me new insight in a recent conversation: cloud sprawl is the latest in a line of erosion-of-governance antipatterns that have plagued organizations for decades.
Paula shared the story of how, in an earlier chapter of her career, she would scrounge around her then-employer for unused computers which she then fashioned into a network under her desk. She said that her intentions were noble: she wanted more compute capability without incurring an expense for her company. However, she also recognized that this created a “governance free zone” under her desk where she could build, test, and deploy applications without the encumbrance of the laborious hardware approval and acquisition process.
Fast-forward a few decades, and now many of us are provisioning AWS EC2 instances for compute needs, storing data in dropbox sharing artifacts through the hyper-network of applications named Google, collaborating with others using context-sensitive (and often multimedia-rich) messages using Slack, and conducting remote meetings using Zoom. All of this is in “the cloud” with nary an actual computer in sight other than our own laptops. For organizations, controlling that employees and partners use only “approved” services is an ever-growing problem. Using cost as a penalty is already a non-deterrent: so many of the above-named services are either completely or nearly free  and therefore encourage almost wanton usage. Even if employees are reluctant to ask their organization to reimburse them for cloud usage, irresponsible behavior is encouraged if the cost is the equivalent of a tall latte a week.
Cheap and ubiquitous cloud services have begotten a sprawl of previously unimagined proportions.
So what can organizations do? While there are no trivial or silver-bullet solutions, there are several things that can improve the situation.
1. Improve the quality of the supported hosted services.
If the “standard” way to provision a dev server in your organization is to create a helpdesk ticket, wait a couple of days, be asked a series of follow up questions (“why do you need it?; how long do you expect to need it?”), and then be given 9-5 guest-access to a 512-KB machine running in the data-center; expect your smart employees to break these silly rules. First, make sure that the quality of services that can readily (and legally) be obtained is at par with the expectations and norms of modern computing. Before you ask people to obey the law, make sure the law isn’t an ass.
2. Improve the governance of the supported hosted services.
Why does it take two days for your organization to provision a box? And then another two days to grant someone privileged access? And (most dangerously) another two days to revoke the privileged access when they leave the project team … or the company?
Governance processes need to be as nimble and fast as the machines they are expected to create and grant access to. They also need to be continuously monitored with traceability and auditability that match any other business process. (If you can tell me your YTD sales numbers any time of the day, but cannot tell me how many EC2 instances your company is using right now, you have a problem.)
3. Make your cloud-spend (and ROI) a first-class business KPI.
Most employees can get behind organizational goals that are clearly communicated to them by management. Virtually every organization regularly shares sales/revenue targets, hiring numbers, diversity goals, marketing spend, and all manner of organizational goals with employees. Is “cloud spend and ROI” a KPI you’re sharing (or even tracking)? If not, you may want to do that.
An organization has a need and a right to expect compliance to rules governing the usage of its resources by its people. The way to get this compliance is to ensure that governance of the people’s behavior, for the people’s benefit, by the people themselves does not perish from the organization.