Understanding Application Governance: Why it’s necessary

Organizations are facing unique challenges in the compliance, ownership and lifecycle of business applications, which are distributed across systems in the cloud and on-premises. Who owns an application? Which approval workflows should be performed for each application? Who decides what users get access to an application? When an application owner leaves an organization, who is the next department or individual responsible for that application?  Establishing application governance helps to answer these questions. 

What is Application Governance? 

Application governance is exactly what it sounds like: getting your applications under governance. One of the most important tasks is creating and managing users, groups or entitlements within an application so that only the users who need privileged access get it. Application owners oversee managing business applications, controlling who has access to each one and how access can be requested. Business applications are comprised of entitlements that may span several types of target systems. With application governance, these entitlements are brought under governance by organizing them into larger, more manageable units. 

Is there a difference between application governance and cloud application governance? 

Yes and no. First of all, every target system is a target system, plain and simple, regardless of whether it’s deployed in the cloud or on-premises. But of course, if you’re talking about cloud application governance, the word “cloud” will be used in the context, specifying that you’re referencing applications that are coming from the cloud (e.g. Azure applications). 

Why is it important? 

Approximately 50% of organizations around the world find maintaining compliance challenging when managing application lifecycles. Additionally, about 34% of organizations find it difficult to prepare for and pass an application lifecycle audit. Organizations need to have a way to make their application lifecycles auditable and application governance is the answer.  

Why put applications under governance? 

• Provides governance with a clear separation of duties between application owners and business consumers of the application 
• Allows business owners to manage the user lifecycle for each application 
• Streamlines application access decisions 
• Enables business managers to make decisions without IT input 
• Validates compliance based on business applications 

Additionally, application governance allows application owners to: 

• Identify who has access to each application 
• Correlate which identities are from which organization 
• Determine who can request entitlements for each application 
• Choose specific entitlements for certification campaigns 

• Enforce segregation-of-duties rules 
• Manage entitlements according to company policy 
• Validate business objectives against KPIs 
• Publish applications so end users can enjoy self-service access to applications 

What are best practices for implementing application governance? 

If a company has decided to implement application governance, the first action they should take is deciding/defining who is responsible for each application. This application owner/team of owners will be responsible for that application. Specifically, who has access to it and defining processes to follow to allow or deny access, as well as how often a recertification should be done to ensure that only people who need access to the application have it. 

Another important step for organizations to take is shifting responsibility from the IT and administration team to business-related employees. Why is that? A critical part of application governance is deciding which identities have access to which applications. No one knows the answer to that better than the employees who are actually using the applications on a day-to-day basis, and those are generally businesspeople. For example, the IT team may not be familiar with a sales application, but in order to put applications under governance, the owner of that sales application needs to know exactly which employees should have access to it. So, it only makes sense that a member of the sales or business team should be the application’s owner. They know which of their colleagues should have access to the sales application and who shouldn’t. This knowledge is key to limiting access to only those who need it to do their jobs. 

After that comes compliance to ensure there aren’t any conflicts with business standards within the application. Once that is done, you should go for attestation recertification and define this part of that governance module.  

The last thing that you should take care of are the KPIs. Just make sure to have defined KPIs which are periodically executed and answer questions such as: Where is my application? Who is using it? How many people are using it? What compliance rules do my applications conflict against? 

Implementation oversights to avoid 

The biggest oversight project managers make is trying to get every aspect of application governance completed at once. For example, if a company has 100 target systems and they want to implement application governance to every application for every target system all at once, they’re usually going to fail. 

The better way to start is with a smaller number of systems. During the process of getting a smaller number of systems under application governance, you’ll gain a better understanding of the implementation process, and you can pass that knowledge along to other application owners. That way, every application owner will know the best way to bring their applications under governance themselves. 

Another oversight commonly made is businesspeople not communicating with IT or vice versa. If application governance responsibilities are being shifted from one team to another, that needs to be communicated or else customers trying to use the application will be left without support. And, of course, the division of responsibilities should be discussed by both teams beforehand. 

Within every organization, there can be thousands of different business applications used daily, and it is a challenge to get them under governance. By taking steps to get applications under governance, organizations can have a better handle on who owns the application, and its overall lifecycle.