Cloud computing is a dilemma for today’s CIO. The potential to cut capital expenditure and reign in operating costs is so compelling that business executives will push aggressively for cloud adoption.
Good managers, however, understand that cost savings aren’t the only variable to consider when evaluating whether to adopt cloud computing. The cloud introduces new security risks and compromises the traditional control of IT.
It is imperative that IT management establish firm control and oversight of cloud initiatives. Cloud governance, which is a logical evolution of current SOA governance strategies, offers a means to assert control over both internal and external applications and data.
It provides a unified, application-centric view of IT throughout the corporate data centre and into the cloud. Cloud governance clears the way for secure, managed and incremental cloud adoption.
But cloud governance can go badly awry by if implemented too hastily or as an afterthought. Here are 10 tips for successful cloud governance.
- Start with enforcement
In cloud environments, distributed enforcement is a more difficult and more pressing problem than asset management. Look first for a policy enforcement point that simultaneously answers both of these needs. This offers immediate standalone value, but with the ability to integrate with heavyweight registry/repositories when this need develops.
- Form factors that take you from the DMZ to the clouds
Enforcement and monitoring must scale with no functional differences, from the wiring closet to the virtual cloud. Hardware appliances will always have their place, but now so do virtual appliances that enforce policies and are capable of rapidly deploying in the cloud.
- Distributed, virtualised management
Management systems for policy enforcement, whether on site in traditional SOA or in the clouds, need to be distributable so that there is no single point of failure. These consoles manage mission-critical applications. If a local network becomes segmented or a cloud provider is inaccessible, the management components should be locally available on every enforcement point.
- The ability to maintain a central system of record for critical assets
There must be a central, authoritative system of record for assets like policies. Think of this as a library storing the laws of the land: the police reference it, but certainly not on every call.
- Loose coupling is a must between enforcement points and repository
Enforcement points must not be tightly bound to central repositories because of the latency and reliability issues in the cloud.
- The ability to author centrally, but deploy globally
Policy will move with your applications in the cloud. Localised differences (time zones, IP addresses, SLAs, etc) must be mapped automatically during provisioning. This can be challenging, as policy itself is often riddled with unanticipated dependency.
- Offer a global view of the application network
You need an application-centric management and monitoring system. It must be accommodating to the subtleties of application protocols so it can provide an actionable view of problems as they occur.
- Flexibility in policy language
The mechanics of governance always come down to complex details in security policy. It is through policy that you manage, adapt, and control all communications between services. A richly expressive policy language will give you the tools you need to manage any situation.
- Apply SOA lessons to the cloud
Think of cloud governance as evolved SOA governance. Any cloud governance solution should be as applicable to traditional SOA as it is to the cloud.
- Utilise the cloud in the solution
If a vendor is serious about the cloud, a cloud governance solution should make use of cloud services.
Of the ten suggestions listed above, policy enforcement and monitoring are particularly fundamental to SOA and cloud governance. IT can deploy a single entity—the virtual Policy Enforcement Point (PEP) —to accomplish both tasks. Policy enforcement technology for clouds can create secure, managed communications between legacy applications in the enterprise and new applications residing in the cloud.
Policy is not just a way of articulating and enforcing security requirements; it is the integration glue between systems. A rich policy language meets the demands of business and IT, offering both high-level contracts like SLAs and billing as well as low-level details like dynamic routing, failover and data transformation.
Deploying virtualised, distributed policy enforcement points in front of cloud applications allows organisations to protect and manage their services. Application-level policy enforcement gives fine-grained access control and in-depth understanding of use patterns of actual services, instead of virtual machines. Not only does this protect data and applications from unauthorised use, it ensures that the distribution of requests to virtualised application instances is properly managed.
In conclusion, governance—whether applied to the corporate, IT, SOA or cloud space—is about vision, oversight and control within a domain. Much of governance is about people working within a process; it’s behavioural, rather than a product. However, technology plays a critical role as an enablement tool to control, monitor, and adapt—the three pillars of any operational governance program—and entities considering a move to the cloud would do well to examine closely both their technology and processes in order to take advantage of the promise and avoid the peril of the cloud.