Cloud Governance Glossary

Periodic review of user access for compliance requirements.

Automated creation of new cloud accounts/subscriptions with governance pre-applied.

Rules for alert thresholds, routing, and escalation.

Proof of compliance for auditors.

Access decisions determined by attributes such as tags, identity metadata, or resource properties.

A log of all actions taken on cloud resources.

Trigger-based routing of compliance or security approvals.

Standards for backup frequency, verification, and retention.

A hardened, minimum configuration profile (OS images, CIS benchmarks, network defaults) that all cloud workloads and accounts must meet before going live.

Meeting standards like CIS, NIST, ISO27001.

Pre-approved templates for building compliant cloud environments.

Spend limits for teams, services, or workloads.

Policies defining how critical business capabilities are maintained during cloud outages, including dependency mapping, continuity plans, and alignment with DR governance.

Controls governing patches, deployments, and updates.

Billing teams for their cloud usage.

Rules enforcing safe and compliant delivery pipelines.

A cross-functional team responsible for setting governance strategy and best practices.

Documented process to migrate off a cloud provider if needed.

A structured framework of policies, controls, and processes ensuring cloud environments remain secure, compliant, cost-efficient, and consistently managed.

Ensuring workloads remain portable across vendors.

How teams collaborate to manage, secure, and operate workloads in cloud environments.

The hierarchy of accounts, folders, management groups, or projects used for governance.

Ensuring equivalent security and compliance levels across providers.

Documented description of how much operational, security, and financial risk the organization is willing to accept in its cloud estate.

Formal evaluation of risks for cloud workloads or architectures, including likelihood, impact, and required controls before production approval.

Minimum security requirements for all cloud resources.

Governance over which cloud services are approved, conditionally allowed, or blocked, including standards for evaluating and onboarding new managed services (databases, AI APIs, analytics, etc.).

When configurations deviate from expected compliance baselines.

A quantified view of compliance posture across environments.

Mapping cloud controls to regulatory frameworks.

Automated remediation triggered after violations.

Assigning cloud spend to departments or projects.

Identifying unexpected or unusual spending spikes.

Policies ensuring cloud spend remains predictable and controlled.

Ensuring consistent encryption practices across environments.

Unified IAM across AWS, Azure, GCP, and private clouds.

Ensuring only authorized users can access sensitive data.

Categorizing data by sensitivity level.

Rules for secure and compliant data disposal.

Required encryption controls for data at rest and in transit.

Tracking how data moves and transforms across systems.

Policies preventing unauthorized data movement or leaks.

Rules for obfuscating sensitive data in dev/test environments.

Governance model assigning accountable “owners” and “stewards” for specific datasets, responsible for classification, access approvals, and lifecycle decisions.

Requirements governing where data must be physically stored.

Rules defining how long data must be kept.

Legal restrictions on storing or processing data across borders.

Monitoring systems that identify violations or drift.

Policies controlling RPO, RTO, backup testing, and DR readiness.

Automatically correcting configuration drift from IaC templates.

Identifying mismatches between desired and actual resource states.

Policies preventing unauthorized outbound traffic or data exfiltration.

Policies for encryption at rest, in transit, and key rotation.

Clear isolation between dev, test, staging, and production environments.

Allowed margin of failure before new changes are restricted.

Automated generation of documentation required for audits.

Process for approving deviations from governance rules.

Central log of all approved deviations from cloud policies, including owner, justification, expiry date, and compensating controls.

A discipline for managing cloud financial operations and optimizing cost.

Standardized rules for Security Groups/NSGs.

Standardized OS/application images used across workloads.

Using tooling and automation to enforce governance at scale.

A defined model covering security, access, operations, cost, compliance, and resource control.

A rule dictating how cloud resources must be configured, accessed, or maintained.

Predefined controls that restrict or guide cloud configuration.

Governance covering both on-prem and cloud environments.

Tools that detect excessive or unused permissions.

The system controlling who can access cloud resources and what actions they may perform.

Linking enterprise identity providers (AD/Okta) to cloud IAM systems.

Rules for detecting and shutting down unused resources.

Rules governing detection, response, and resolution of cloud incidents.

Policies ensuring IaC templates align with security and compliance standards.

Policies controlling external access into cloud workloads.

Rules for managing KMS/HSM keys.

Standardized set of cloud risk metrics (e.g., % public buckets, open security groups, unencrypted volumes) and thresholds used for ongoing risk monitoring.

A preconfigured cloud baseline including security, networking, IAM, and compliance guardrails.

Granting only the minimal permissions needed to perform a task.

Rules for retiring unused or outdated cloud assets.

Automated provisioning, patching, archiving, and decommissioning.

Requirements for log retention, structure, encryption, and routing.

Governance containers grouping Azure subscriptions.

Applying consistent policies across multiple cloud providers.

Rules for subnetting, routing, firewalling, and segmentation.

Mandatory isolation of workloads based on sensitivity.

Accumulated gaps in reliability, documentation, or monitoring.

Policies defining how cloud systems are monitored and maintained.

Conditions that must be met before a workload goes to production.

Daily security practices enforced across workloads.

Enterprise-wide constraints controlling resource usage or regions.

Rules and schedules for applying OS, container, and platform patches, including maintenance windows, testing requirements, and emergency patch procedures.

Writing governance and compliance rules as code for consistent enforcement.

The stages of creating, approving, enforcing, reviewing, and retiring governance policies.

Policies that stop non-compliant actions before they occur.

Securing and auditing elevated administrative access.

A responsibility matrix (Responsible, Accountable, Consulted, Informed) defining who owns, approves, and executes key governance activities across teams.

Ensuring workloads adhere to legal requirements such as GDPR, HIPAA, PCI, SOC2.

Automated workflow to fix compliance or configuration drift.

Policies for managing long-term cloud spending commitments.

How cloud resources are structured for governance.

Rules for consistent naming across environments.

Limits on resource creation to prevent misuse or waste.

Ensuring compute and storage resources match workload needs.

A catalog of known risks and their mitigation plans.

Granting access based on job roles rather than individuals.

Approved operational procedures for repeated tasks.

Rules for experimental accounts to prevent overspend or security risks.

Standards for securely handling credentials, tokens, and keys.

Policies that mandate security practices (threat modeling, SAST/DAST, dependency scanning) be integrated into CI/CD pipelines for cloud-hosted applications.

Governance defining how cloud security events are handled.

Continuous evaluation of cloud configurations for misconfigurations or vulnerabilities.

Rules for managing non-human identities used by applications.

Organization-level restrictions applied across AWS accounts.

Processes and controls for detecting, reviewing, and regularizing unsanctioned or “rogue” cloud accounts, tools, and services used outside formal governance.

Defines which security and operational tasks are managed by the cloud provider vs. the customer.

Reporting cloud costs without billing teams.

Central authentication enabling users to access cloud systems with one login.

Standardized reliability and performance targets for workloads.

Preventing deployment of untagged resources.

Required metadata (owner, cost center, environment).

Managing approved IaC modules for reuse.

Time-bound permissions reducing long-term access risks.

Policies controlling evaluation, onboarding, monitoring, and offboarding of SaaS and external cloud services that integrate with the core cloud environment.

Tracking cost per user, per request, or per workload.

Policies reducing dependency on proprietary features.

Governance for assessing and tracking risks associated with cloud and security vendors, including due diligence, SLAs, data handling, and exit terms.

Policies defining vulnerability scanning scope, severity thresholds, SLAs for remediation, and waiver/exception handling across cloud resources.

Applying zero-trust principles across cloud identity, network, and workload boundaries.