Scott Morrison, chief technology officer and chief architect of Layer 7 Technologies, outlines the steps companies should take to ensure the success of their cloud initiatives.
Cloud computing is a dilemma for today’s CIO. The temptation to cut capital expenditure and reign in operating costs is so compelling that business executives will push aggressively for cloud adoption. Good managers, however, understand that cost savings aren’t the only variable to consider when evaluating whether to adopt cloud computing. From their perspective, cloud compromises the traditional control of IT and adds considerably to an organisation’s risk profile. Fortunately, an effective programme of cloud governance can satisfy the needs of both constituents.
As a first step, it is imperative that IT management establishes firm control and oversight of all cloud initiatives. Cloud governance, which is a logical evolution of current SOA governance strategies, offers a means to assert control over both internal and external applications and data. It provides a unified, application-centric view of IT throughout the corporate data centre and into the cloud. Cloud governance clears the way for secure, managed and incremental cloud adoption.
But cloud governance can go badly awry by if implemented too hastily or as an afterthought. Here are 10 tips for successful cloud governance.
1. Apply the lessons of SOA to the cloud. Extend your existing governance strategy instead of inventing a new one for the cloud. Think of cloud governance as evolved SOA governance. Your approach should build on the technology and best practices of the last decade. An effective cloud governance solution should be as applicable on-premise as it is to the cloud.
2. Understand the control trade-offs. SaaS and IaaS represent two extremes of the re-distribution of control between the enterprise and its cloud provider (PaaS lies somewhere in the middle). It is important to recognise how this change in responsibility affects an organisation’s ability to govern its applications and data. With SaaS, an organisation relinquishes nearly all traditional IT management—and with this the traditional governance control points (perimeter security, data encryption, etc). In IaaS, considerably more control resides with the enterprise (limited control over isolation using abstracted firewalls, the ability to encrypt data before storage, etc). Understanding where these new boundaries lie is an important first step in extending internal controls to the cloud.
3. Look to the hybrid cloud. Hybrid clouds—the mixed use of private cloud for primary processing and public cloud to handle burst or overflow capacity—offer a great opportunity to implement an effective governance strategy. The private component eases the transition of applications into the cloud by offering complete control over the operating environment, and the public component can be leveraged once the governance implications of individual applications are well understood.
4. Start with run time governance. In cloud environments, distributed enforcement is a more difficult and immediate problem than design time governance. Look first for a cloud-enabled policy enforcement point (PEP) solution that offers access control, monitoring, and policy management. This offers immediate standalone value, but with the ability to integrate with external registry/repositories down the road.
5. Offer a global view of the application network. In the cloud, the application, rather than the network, should become primary focus. Adopt tools that abstract network details and provide application-centric management and monitoring. These tools must be accommodating to the subtleties of application protocols so they can provide an actionable view of problems as they occur.
6. Distribute management. Management systems for policy enforcement, whether on site in traditional SOA or in the cloud, need to be distributable so that there is no single point of failure. These consoles manage mission-critical applications. The management components should be locally available on every enforcement point so that they are resilient in the face of disconnection from the enterprise.
7. Maintain a central, managed system of record for critical assets. Author policy centrally, but distribute it globally. There must be a central, authoritative system of record for assets like policies. This should allow management of the entire policy lifecycle, including versioning, tagging, backup/restoration and distribution to enforcement points. Think of this as a library storing the laws of the land: the police (the enforcement points) reference it, but certainly not every time they do something.
8. Promote loose coupling and autonomy between enforcement points and the policy repository. Never let enforcement points become too tightly bound to central repositories because of the latency and reliability issues in the cloud. Enforcement points must be able to operate in the absence of direct connection with the central repository. Think of the enforcement points as remote border posts that cannot constantly be communicating back to central government for advice about every individual crossing.
9. Governance is only as good as your ability to express policy. Governance in practice always boils down to prescriptive rules in security policy. It is through policy that you manage, adapt, and control all communications between services. A richly expressive policy language—that is, the language that policy enforcement points use to determine how to process transactions—will give you the tools you need to manage any situation.Consider also that policy must be flexible enough to allow for local interpretation. Policy will move in lockstep with your applications in the cloud. Localised differences (time zones, IP addresses, SLAs, etc) must be mapped automatically during provisioning. This can be challenging, as poorly designed policy may be riddled with unanticipated dependency.
10. Governance infrastructure should offer form factors that take you from on-premise to the cloud. Enforcement and monitoring must scale with no functional differences, from the wiring closet to the virtual cloud. Hardware appliances for governance will always have their place, but now so do virtual appliances that enforce policies and are capable of rapidly deploying in the cloud.
Of the 10 suggestions listed above, policy enforcement and monitoring are particularly fundamental to SOA and cloud governance. IT can deploy a single entity—the virtual policy enforcement point—to accomplish both tasks. Policy enforcement technology for clouds can create secure, managed communications between legacy applications in the enterprise and new applications residing in the cloud. Policy is not just a way of articulating and enforcing security requirements; it is the integration glue between systems. A rich policy language meets the demands of business and IT, offering both high-level contracts like SLAs and billing as well as low-level details like dynamic routing, failover and data transformation.
Deploying virtualised, distributed policy enforcement points in front of cloud applications allows organisations to protect and manage their services. Application-level policy enforcement gives fine-grained access control and in-depth understanding of use patterns of actual services, instead of virtual machines. Not only does this protect data and applications from unauthorised use, it ensures that the distribution of requests to virtualised application instances is properly managed.
In conclusion, governance—whether applied to the corporate, IT, SOA or cloud space—is about vision, oversight and control within a domain. Much of governance is about people working within a process; it’s behavioural, rather than a product. However, technology plays a critical role as an enablement tool to control, monitor, and adapt—the three pillars of any operational governance programme—and entities considering a move to the cloud would do well to examine closely both their technology and processes in order to take advantage of the promise and avoid the peril of the cloud.
Scott Morrison is chief technology officer and chief architect at Layer 7 Technologies, providing the visionary innovation and technical direction for the company. He has extensive technical and scientific experience in a number of industries and universities, including senior architect positions at IBM. www.layer7tech.com