Cloud governance 101

There’s a lot of talk about how and why to move to the cloud, and a lot of guidance to help you make the leap. But here’s a question less often addressed: What happens after you migrate your tools to the cloud?

How does a move to cloud impact your IT team’s to-do list? What should security teams be paying attention to post-migration? Who’s in charge of financial governance? And what else do you need to plan for not only before you choose cloud, but once you’re in the thick of things?

These questions all fall under the heading of cloud governance—a practice that will make or break the long-term success of your cloud transformation. 

What is cloud governance?

Cloud governance is the ongoing management of your cloud tools, vendors, and systems. It typically includes application management, vendor management, ongoing cloud cost optimization, training and support, security management, and shadow IT management.

This is often a new activity for IT teams, and it’s different than managing on-premise (on-prem) applications. Instead of managing tools and systems, you’re managing contracts, relationships, process, and costs.

Cloud governance vs. on-prem management

A move to the cloud is good news for IT teams, who save significant time (and often money) by trusting vendors with server management, security patches, upgrades, and other tool and systems work. 

As Evan Lerer, Director of Engineering at Redfin says, “Frankly, having our engineers or IT professionals manage our systems on-premise is a waste of time and money. If there’s a company that already has amazing products, why not have them do it? That way, we can spend our time working on the things that we're good at...” 

But because cloud governance is so different from on-prem management, there’s definitely a learning curve—and if you don’t plan for governance up front, it’s easy for important tasks to fall through the cracks.

Even as you remove server upgrades, load balancer purchases, and security patches from the team’s to-do list, a move to cloud adds new, equally important tasks—like cloud cost optimization and vendor management—to that list. 

Cloud governance frameworks

So, what does cloud governance include? What post-migration tasks should your teams plan for? 

The answers to these questions are found in what is typically known as your cloud governance framework—a guide to what you need to manage when you move to the cloud and how you’ll manage it. 

Companies with strong governance frameworks:

  • Understand what needs to be managed now that they’ve moved to the cloud and how (and how often) those things will need attention
  • Document their processes, strategy, and guidelines
  • Have clear roles and responsibilities set for who manages each governance task

Typically, cloud governance frameworks include plans for:

Vendor Security Assessment

Managing cloud vendors

Some businesses manage vendors in a centralized way, with one team or person responsible for communicating with and tracking all cloud vendors across the organization. The benefit to this approach is that it’s easy to spot places where you can consolidate, integrate, or even eliminate tools. It also helps the team see where there might be gaps another tool could fill or ways tools can work together to increase productivity or collaboration.  

The downside to centralized vendor management is that it can sometimes impact flexibility and speed for individual teams, who may need to make quick decisions about upgrades, tool changes, etc.

The other common approach to cloud vendor management is a decentralized one that allows each team to manage their own vendors, budgets, and tools. The benefit here is speed and flexibility and the downside, as you might expect, is that siloed management may mean missing out on the efficiencies and cost savings a bird’s eye view can reveal. 

With either approach, vendor management typically includes: 

  • Keeping track of vendors and licenses 
  • Managing the terms of your licenses (Do you need to upgrade? If so, when? Do you need more licenses? Less? Is your vendor providing everything contractually promised?)
  • Keeping up with important changes, upgrades, feature retirements, etc. that need to be communicated to your teams or require any re-training
  • Managing integrations between vendors
Admin Tools

Managing apps

With many cloud tools, teams may also be using third-party apps. These are also worth tracking both for efficiency and security’s sake, particularly when apps are not vendor-vetted. Regular app audits can help you understand:

  • Where you store data—and if that data is sufficiently secure
  • If you have apps you can consolidate to increase both system speed and team productivity (if apps are duplicating the same tasks or processes)
  • If you still need all your apps or some can be retired or replaced
User Management

User management

Another key piece of the cloud governance puzzle is user management, which includes:

  • Maintaining visibility into all users across all tools (best case scenario, you have a centralized dashboard where you can track this, but in some cases, you may be looking at multiple dashboards across vendors and tools)
  • Removing users when they leave the company or team 
  • Updating access when users are promoted or have a change in responsibilities 
  • Auditing user lists to make sure you have the right number of licenses from your vendors

Some companies deal with all user management manually, but the more you plan to scale, the smarter it is to prioritize automation. For example: if a contractor is only with your team for six months, automating the system to remove their access at the end of that period means one less thing for your administrator to manually track and possibly forget.

Compliance Shield Logo

Cloud security and compliance

Security is one of the top benefits of moving to the cloud, with 91% of Atlassian customers saying cloud security is better than or equal to on-prem. But that doesn’t mean internal teams can just leave it to their vendors without a second thought. Governance should also keep security and compliance top of mind in new ways, including:

  • Making sure vendors and third-party apps meet your compliance requirements (both when you first sign up with a new vendor and on a regular basis as their tools and policies change and as your compliance needs may also change)
  • Auditing data management and storage for security best practices
  • Creating and managing internal policies for security (for example: password requirements, two-factor identification, training to help employees avoid phishing emails, etc.)
  • Choosing your identity authentication provider and managing integrations between that provider and your individual tools or vendors

When it comes to security, another key piece of the puzzle is understanding what your vendor guarantees and what falls on your teams’ shoulders. Here at Atlassian, for example, we handle the security of your hosting and tools. But we can’t control your internal policies, shadow IT issues, or whether or not your users share their credentials. The policies and practices around those things would be handled by your team.

Infrastructure Security

Reducing/managing shadow IT

For those unfamiliar with the term, Shadow IT is when people within your organization are using cloud tools that your admin or IT team doesn’t know about. These tools may or may not be secure, meet compliance standards, and drive up costs, which is why it’s vital to find them and bring them into your security fold.

Any cloud governance plan should include regular shadow IT audits and plans for how to assess, consolidate, and secure tools found in those audits. Here at Atlassian, we handle this through domain claiming. When a new client claims their domain (for example:, all Atlassian accounts that belong to email addresses under that domain (for example: automatically show up in your admin panel. This makes it simple to see all Atlassian tool instances across your organization and bring old fred.flintstone into the loop on processes, available upgrades, etc. even if he signed up for the tools on his own.

Image of coins

Cloud cost optimization

Cost-savings is yet another top reason companies move to the cloud. And if cloud cost optimization is a priority, it’s an important thing to include in your governance plan. This practice includes:

  • Understanding and tracking costs and benefits
  • Seeking out cost reductions (such as free trials or upgrades)
  • Finding ways to reduce cost while maintaining value (for example, regularly auditing licenses to get rid of inactive users or unnecessary tools)
  • Forecasting upcoming costs for planning purposes (a particularly important task for companies with rapid growth)
Image of coins

Process and people management

While some companies may manage the processes and tool-related responsibilities within individual teams, it also makes sense to have someone monitoring overall cloud-related processes and providing users with the support they need to get the most out of your cloud tools.

These governance practices may include:

  • Creating and managing processes around new tool requests, integration requests, or license requests
  • Creating and managing training resources for cloud tools
  • Monitoring support to understand if and when you need to increase or decrease support resources (on the vendor side or internally)
Ribbon Icon

Cloud governance best practices

Understand your cloud landscape

Before you can manage security, root out shadow IT, and optimize costs, you need an understanding of the big picture of cloud within your organization. What cloud tools do you use? What integrations are in place? Are there tools teams have been asking for and don’t yet have? Are you planning a migration? If so, when and how? 

The better you understand what cloud looks like in your organization today and what you want it to look like tomorrow, the easier it is to plan for everything from cost optimization to security policies.

Set clear roles and responsibilities

If no one is responsible for shadow IT audits, they won’t get done. And the same goes for every other important cloud governance task. So, before you move to cloud, it’s important to understand who’s going to take on these tasks, how often you expect them to be tackled, and what exactly each person or team is responsible for.


Many cloud governance tasks can—and should—be automated. From retiring licenses at the end of a contractor’s contract to requiring two-factor authentication or enforcing device compliance, where possible, automate your governance for efficiency and cost savings.

Audit regularly

Understanding your cloud landscape isn’t a once-and-done task. Tools change. License needs change. And shadow IT can easily get unruly if you don’t continually pay attention. Which is why the best practice for governance is to frequently audit tools, processes, costs, etc., seeking out answers to questions like:

  • Which systems are still in use and which are outdated?
  • Are you using all your licenses? Do you need more or less?
  • How are you controlling and monitoring employee access and lowering risk of breach?
  • Is your cloud cost efficient? Is it scaling up and down as needed?
  • Are security best practices up-to-date with each of your vendors?
  • What compliance requirements apply today? Have there been any changes since our last audit? Are our cloud systems in compliance? If not, how do we get them there? 
  • Are there unapproved tools (shadow IT) that need to be updated, retired, or changed for security, efficiency, etc.?
  • Are configurations up-to-date? Are tools integrated effectively? Do upgrades or changes require any customization or integration work from your team? 

Cloud governance at Atlassian

At Atlassian, helping you manage cloud after migration is a priority. It’s why we built our domain claim tool to help you root out shadow IT. It’s why security and compliance are built into our products. And it’s why we offer robust, ongoing support to help teams get the most out of our tools long after you buy that original license.

For more on security and compliance at Atlassian, visit our trust center.

Visit our Security Center

Up next...

Cloud Platform

Visit the Atlassian Trust Center

Get the latest information on the security, reliability, privacy, and compliance of Atlassian's products and services.

Cloud Migration

Learn more about cloud migration

Find all the resources, tools, and support you need to start evaluating if cloud is right for your organization.