by

A Cloud Data Governance Model for Office 365 Delivery

If you have ever been involved in enterprise-wide cloud or collaboration projects (specially using SharePoint) you have heard about governance every second-day. Governance is a big ticket these days to tackle in every serious IT project.

Quickly summarizing, governance is the set all processes of "governing" (as in state governments) the interaction and decision-making steps for a scenario or problem. This set of processes are then normally compiled into a piece of work that outlines how to enforce these rules in the big picture and make sure they are adhered and followed. This is a broad explanation, and because IT is so complex and vast every time someone talks about governance, it is always followed by an area and never a single-monolithic set of rules. That's why we hear about: SharePoint Governance, Cloud Access Governance and so on.

Anyway, today we will talk about cloud data governance. The need this has always been a recurring theme when we talk about data protection and compliance. With Office 365 it wouldn't be different.

Cloud data governance is important because without it, any data protection strategy you want to apply to our Office 365 enterprise compliance will be like a silo, isolated.

For starters, let's try to get a generic picture of data governance and break it down to a bit more specialized areas.

Please bear with me and allow me to start a very simple and generic Cloud Data Governance model which can be used for a classic Office 365 collaboration project. One that can be easily categorized in: Foundations and Leadership.

edge-pereira-office-365-cloud-data-governance-model

Leadership is About Structure

Leadership is about structure and the programs that drive the governance enforcement. Executive powers in this category covers what organizational management tasks are required to make sure an ongoing commitment is established and cascaded down to the peers. Data Stewards and Custodians make sure that the RACI matrix is cleared, covering the roles and responsibilities of every individual affected directly or indirectly by the governance plan is addresses.

Foundation is About Initiatives

Foundation is about initiatives that as a whole covers the basics on the compliance, authorities and risk management.

Thinks like business continuity (including disaster recovery) addresses the risk management responsibilities. When events happen which causes the data to change during its lifecycle, the information lifecycle management kicks in, making sure these audit trails are aligned with your data protection rules.
Under the foundational stones, we also can include data architecture addressing master data management; Retention management to make sure analysis tolls are fully functional and addressing data requirements updates for keeping and trashing of data; Data quality to make sure the data is healthy and in perfect quality for its usage; and as expected, Security which in our cloud case addresses data classification and confidentiality. Security can't cover much more than this because, remember we are talking about Microsoft cloud infrastructure, and most of the other aspects are taken care of by the Microsoft security team. There is only so much further we can go on it.

This graph is a quick illustration of what an average cloud data governance looks like from a helicopter view. It does not mean that it covers everything your organization needs. Likewise, it also does not mean that every single data governance control needs to be associated with data protection. The main goal here is not achieve 100% of security (which is in itself, quite a task if you ask me) but instead to minimize the gaps and the surface for attacks and breaches.

The broader you start with your cloud data governance picture the better it is, because it will be like a beacon providing guidance for big and small pieces of projects going on. And at the end of the day, project teams want to have something to aim for. The governance strategy is not static, it adapts to the needs and if something is missing, generally there is no issue, just address it in the strategy and make sure the communication plan is in place for it.