Cloud Responsibility Quadrants

Fuzzy boundaries between IT and business units have created ambiguities with respect to SaaS cloud management. A simple tool to drive clarity around who-does-what is the cloud responsibility quadrants chart.


Application portfolio management is a broad discipline. It requires an enterprise-wide perspective of how the collection of business applications ebbs and flows over time. The sequencing of application lifecycles, the data flows among applications, and complex web of application inter-dependencies are all the heavy lifting areas an enterprise architecture practice should be driving. That said, not all application management decisions need an enterprise architect.

Often times, business units will spin up new cloud solutions as a pilot, proof of concept, or purely out of experimentation. When such applications show merrit, they’re often rolled into production in somewhat haphazard fashion. Some would refer to this as “shadow IT.” I refer to it as twenty-first century reality that simply needs to be managed in an accommodating fashion.

The fundamental question we’re trying to answer with all new clouds is simply: “who is responsible for what?” In other words, is IT going to ensure this application is secure and resilient? Is the business owner going to ensure that end-users are assigned proper roles and privileges within the app? Is the service provider going to provide adequate uptime and disaster recovery capabilities? When we fail to address such questions, we’re left with assumptions. And we all know where things go from there: duplication, security breaches, and other woes associated with unmanaged risk.

The Quadrant Approach

It may seem obvious to identify roles in cloud management, and frankly, it is. However, sometimes even the simple things are forgotten. Moreover, I assert that something as simplistic as role identification can be further simplified into a set of “canned” responsibility categories; represented by four, easy to remember “quadrants” that can be custom-tailored to any organization.

Similar to a Cartesian coordinate plane, the cloud responsibility quadrants are numbered 1-4, starting in the upper-right quadrant and moving sequentially counterclockwise. The X-axis represents an increasing level of IT governance; where higher levels mean more prescriptive oversight. The Y-axis represents IT administration, which is essentially day-to-day care and feeding of the cloud application. These dimensions are by no means set in stone, and can be swapped out for more relevant domains as needed.

The quadrants are ordinal, in that the first quadrants starts with the heaviest of IT involvement. (Or if you prefer a different perspective, the least amount of business involvement.) With every increasing quadrant, the degree of responsibility shifts between IT and the business. The goal is not necessarily to identify a perfect “sweet spot” but rather to merely identify the current state and the roles / responsibilities of the IT and business at this point in time.

Quadrant 1: Fully Managed

Quadrant number one is the 100% IT operated domain. While business units may have some influence here, the application decisions and management are entirely within IT’s domain. As such, this quadrant will likely represent shared, enterprise-wide SaaS solutions such as content management systems, identity management solutions, or communication and collaboration tooling. This quadrant will likely house a minority share of cloud applications.

Quadrant 2: Co-Managed

The co-managed quadrant should house the vast majority of an enterprise’s cloud footprint. Here, the business units and IT agree on shared, pre-defined responsibilities. For example, IT may spearhead technical areas such as security reviews and single sign on. On the other hand, the business will drive user administration and the feature roadmap.

Quadrant 3: Off-Grid Apps

The meaning of “off-grid” is not meant to imply the application is shrouded from IT. The incognito nature of an off-grid application shields its existence from all business units beyond the one which procured it. This is the mirror-image or inverse persona of the 100% IT-operated (fully-managed) quadrant, and similarly, should be used sparingly. Proliferation of apps within this quadrant produces redundancies and security risks.

Quadrant 4: Light Touch

Similar to the co-managed quadrant, the light-touch quadrant is a domain whereby both IT and the business have a stake in cloud application management. Yet unlike the more balanced co-managed quadrant, the light-touch quadrant has an eccentric slant toward one party. In the example above, business management is favored over IT involvement.

Everyday Usage

The quadrant approach can be even further simplified by removing the X and Y axis altogether and having simple, ordinal buckets. (E.g. “small, medium, or large IT assistance T-shirt sizes” for example.) What’s more important than the bucket labels themselves is what duties are assigned to those buckets.

The value in leveraging a nomenclature like cloud responsibility quadrants is that it operationalizes application management into a palatable format everyone can quickly understand. When SaaS clouds are properly managed, risks are reduced and application strategies become easier to implement. Moreover, such a practice requires hardly any effort. A twenty minute whiteboarding session between IT and business owners can quickly yield a viable responsibility model that can be immediately operationalized.