1

IBM Research

Self-Service Financial Control and Organizational Governance in Cloud

Chunqiang Tang, Chang-shing Perng, Salman Baset

IBM T.J. Watson Research Center

2 2

IBM Research

What Cloud Brings to Us? Key features of cloud

► On-demand self-service► Auto-scaling

Advantages: improve productivity and agility Risk: circumvent traditional business process around IT financial

control and organizational governance

3 3

IBM Research

Examples of Risks in Using Cloud without Governance

Example 1: A student over-spends his professor’s credit card on Cloud resources.

Example 2: A large enterprise continuously adjusts its IT budget allocation and organization structure, making it hard for frontline engineers to balance spending.

Example 3: Due to a bug in a Cloud application’s autoscaling controller, it mistakenly creates 1,000 virtual machines (VMs) instantaneously.

Example 4: An employee provisions in the Cloud a public facing VM using the company’s domain name, but it exposes inappropriate Web contents, due to either mistake or abuse.

4 4

IBM Research

Root Cause of the Governance Problems

Cloud is totally disconnected from the governance structure and process in the real world

► No reflection of the hierarchical structure of an organization

► No reflection of the complex budget flow in an organization

Cloud lives in fairyland

Corporate StructureExample: a school’s budget flow

5 5

IBM Research

Solution Overview for the Governance Problems (1/2)

Separation of governance mechanism and policy► Cloud provider builds the mechanism for governance

► Cloud user defines the governance policy through self-service

Organizational governance solution► Hierarchical account structure

► User self-service to grow or change the hierarchy

► Parent account has authority over child account

6 6

IBM Research

Solution Overview for the Governance Problems (2/2)

Financial control solution

User self-service to create, divide, and pass “credit tokens” to represent budget flows

A credit token comes with user-defined rules, and the cloud provider enforces the rules

► E.g., hourly spending < $100 AND monthly spending < $1000

Users can define monitoring rules to trigger alert on spending

account

account account account

accountaccount

account