Although widely acknowledged as the future of enterprise computing, many companies and organisations are stalling on a move to cloud computing models, chiefly due to uncertainties around security, compliance and control says Rourke McNamara, Director of Product Marketing, TIBCO Software.
Information is an organisation’s biggest strategic asset. Concerns around losing control of that information can throttle a move to the cloud. To mitigate these concerns, companies must place a high priority on governance. But what is governance in cloud computing? Does a best practice model exist for an area of enterprise technology still very much at the early stage of adoption?
Organisations contemplating a move to the cloud need to ensure that four key aspects of information management are covered by robust policies and processes; these areas are: who can access the information, how these access permissions are managed, where information is stored and how access to information and applications is tracked.
Construct a well defined mechanism that defines security, auditing and compliance policies, and concerns regarding the cloud can be satisfied. To ensure the benefits gained from cloud computing are not compromised by governance policies, it is vital that systems controlling access, storage, rules and permissions are decoupled from the development of cloud-based services and the underlying distributed cloud infrastructure.
For example, if a new regulatory requirement needs to be enforced through a policy on an application this should not require rewriting the application. Also decoupling a policy allows it to be applied to multiple applications or services. While design and development of the policy should be decoupled from the application, the actual enforcement should be part and parcel of the actual application so there is reduced chance of breach of contract. These seemingly contradictory requirements need to be met for successful governance of the enterprise application in the cloud.
Effectively managing Service Level Agreements (SLAs)
Managing Service Level Agreements (SLAs) is an aspect of governance that will also need to be scrutinised with any transition to the cloud. It is one thing to have raw computing power at your fingertips but quite another to be able to use it to meet SLAs through peak application performance.
Businesses move enterprise applications to the cloud with the hope of leveraging the infinite computing power of the distributed world. However, visibility into how the cloud is being used to meet SLAs, whether SLAs are indeed being met and how easily the cloud can be set up to deliver on this are all requirements to consider as part of a sound governance programme. In addition to the infrastructure level SLAs (CPU usage, Memory utilisation etc), business level SLAs also need to be defined.
For example, a business SLA could define a response time for an order processing application. This order processing application can in turn comprise of various intertwined distributed service interactions. It is critical to be able to manage the performance of the entire application and be application-aware to dynamically deploy additional instances of services to meet these business SLAs.
Application Lifecycle Management (ALM)
Another important aspect of any governance programme should be Application Lifecycle Management (ALM) which focuses on the entire lifecycle of an application or service, from design to development to test to deployment and maintenance.
If you include assessing and managing change impact on operations and services, ALM in the cloud involves end-to-end lifecycle management across distributed computing boundaries. This implies the need for very selective transparency of the underlying infrastructure for management of the enterprise application.
Where exactly the application resides should not be visible while considering the processes around design and development of services. On the other hand, during phases in the lifecycle, such as deployment and management, it should be possible to seamlessly leverage the power of the cloud without needing to figure which exact node or machine in the cloud the application needs to be deployed to or what the underlying software is at the node of execution.
Establish a regulatory panel
In addition to ensuring you have the right tools in place to effectively deliver a secure, governed application in the cloud, it is recommended that companies and organisations establish a regulatory panel. This would be imperative in any organisation running a Service Orientated Architecture (SOA), even without the cloud model.
Factoring in the cloud makes the need for a regulatory panel much more important as the parameters that affect the success of an SOA become more complex. The panel should be responsible for the success of governance, establish guidelines, principles and process and foresee the overall enforcement of governance.
As you can see from the above, a well defined and managed governance programme is key for enterprises to successfully deliver applications in the cloud, and we are already seeing the development of such programmes from within the industry.
Although it may simplify the IT architectures of the companies and organisations that adopt it, a cloud computing model actually adds a level of complexity to lifecycle and operational governance that has to be considered at the start of any implementation. While governance solutions are becoming more prevalent, many still address only a few of the aspects discussed in the previous section instead of taking a more holistic approach, addressing all aspects rather than just one or two criteria.
The people using applications in the cloud?developers and business, operational and administrative users?want to focus on their specific usage case without thinking about where their computing power is coming from. The cloud platform takes care of leveraging the power of the underlying distributed system but it will only do so if organisations have transparency into the underlying infrastructure and are able to put in place a governance programme that addresses the specific issues inherent in a move to a cloud computing model.
If such a programme provides comprehensive coverage of lifecycle and operational governance, and if it addresses all of the issues raised here, it can be a powerful ally in helping enterprises successfully leverage the infinite computing power of the cloud for their applications and information.