Help Center/ Cloud Adoption Framework / Cloud Adoption Framework and Practices/ Top-Level Planning/ Landing Zone Design/ Landing Zone Reference Architecture/ Enterprise IT Governance Architecture
Updated on 2025-05-07 GMT+08:00
View PDF
Share

Enterprise IT Governance Architecture

Large companies have a wide range of businesses in different industries and regions. To support the long-term stable operations and effective management of the entire company, they usually adopt a group-based and hierarchical management model. As the business scope and scale continue to expand, subsidiaries and branches need to be established continuously. Subsidiaries establish their own subsidiaries, and large departments are gradually split into multiple small departments, leading to more and more organizational levels. The IT governance architecture of large companies is also affected by the organizational structure. The following figure shows a typical IT governance architecture of large businesses. (The figure does not list all levels and diagram elements.) The Landing Zone architecture described in this document is based on the IT governance architecture shown in the following figure. This architecture can be mapped to Huawei Cloud and run properly.

Figure 1 IT governance architecture of large businesses

In the preceding IT governance architecture, the meanings of each level are as follows:

  • Group: a corporate legal entity comprising a parent company, its subsidiaries, and affiliated members, unified by shared capital, governed by the parent company, and bound by a collective group charter as the standard framework for operations.
  • Subsidiary: a company in which a parent company holds a controlling share of ownership and exercises operational control. The parent company has the decision-making authority over all major matters of the subsidiary. Legally, the subsidiary remains an autonomous entity with separate legal personality, conducting business operations under its own authority. A subsidiary can establish its own subsidiaries or branches based on its operation and management requirements.
  • Branch: a branch operating under the authority of its parent company, and functioning as an independent entity established outside the company's primary location to conduct business activities, such as regional sales offices across provinces and cities. A branch lacks the status of an independent corporate entity, with its civil liabilities being assumed by the parent company.
  • Department: The parent company, along with its subsidiaries and branches, may establish departments tailored to operational and managerial needs, such as distinct divisions for various product lines in a software firm or functional units like R&D, production, procurement, sales, and services within an industrial manufacturing enterprise. A large department can further divide into small departments.
  • Service system: a software system designed to complete specific tasks or solve specific problems to support business processes and scenarios in an organization, such as ERP, CRM, and marketing management systems. The development, testing, and operating of service systems require certain resources, such as compute, storage, network, security, database, middleware, big data, and AI services. A large service system can contain multiple subsystems.
  • IT management system: an IT support and management system established to support the long-term secure and stable operation of service systems, such as the security operations center, IAM, and monitoring and O&M system.
  • Subsystem: a large service system or IT management system with multiple decoupled and associated subsystems, functional modules, or microservices. These subsystems collaborate with each other to implement the functions of the entire system.
  • Functional team: Members who participate in the development and O&M of the service system or IT management system are divided into different functional teams based on their responsibilities, such as the network management team, security management team, O&M management team, and application development team.
  • Member: a person who participates in the development and O&M of a service system or IT management system. A member can join multiple functional teams, but cannot join multiple departments.
  • Operating environment: The service system and IT management system are usually deployed in different operating environments, such as production, development, and test environments.

The following figure shows the hierarchy of IT governance for large enterprises.

Figure 2 Hierarchy of IT governance for large enterprises

The IT governance architecture needs to map to Huawei Cloud objects. The following figure shows the recommended mappings from the perspective of lean governance. The group maps to the master account (or management account) of Huawei Cloud. Each subsidiary, branch, or department maps to an OU. One or more service systems map to a service account (member account). Generally, all service systems of a business unit map to a service account. One or more IT management systems map to an IT management account (member account).

Subsystems can map to enterprise projects or tags on Huawei Cloud.

Functional teams map to IAM user groups, and their members map to IAM users.

Production, development, and test environments can map to different VPCs. To strictly isolate these environments, they can also map to independent IAM users. Note that you do not need to map the subsidiaries, branches, or departments that do not develop or maintain service systems or IT management systems to Huawei Cloud.

Figure 3 Enterprise IT governance architecture mapping to Huawei Cloud