Prerequisites for cloud governance

Tech providers need to follow a number of rules to avoid getting lost in the cloud, says Scott Morrison

Executives will push aggressively for cloud adoption due to the compelling cost-reduction arguments. But the cloud introduces new security risks and compromises control over IT.

There must be firm control and oversight of cloud initiatives. Cloud governance, a logical evolution of current services-oriented architecture (SOA) governance, means taking more control over internal and external applications and data. Users should be able to get a unified, application-centric view of IT from corporate datacentre into the cloud, clearing the way for secure, managed and incremental cloud migration.

Start with enforcement. In cloud environments, distributed enforcement is more difficult and pressing than in asset management. Look first for a single, suitable policy enforcement point, one that simultaneously answers both of these needs. This offers immediate standalone value and retains capability to integrate with heavyweight registries or repositories in future.

Enforcement and monitoring must scale up or down with no functional differences, from the wiring closet to the virtual cloud. Hardware appliances will always have their place, but now so do virtual appliances that enforce policies and are capable of rapid deployment in the cloud.

Management systems for policy enforcement, whether on site, in traditional SOA, or in the cloud, need to be distributable so there is no single point of failure. These consoles manage mission-critical applications. If a local network becomes segmented or a cloud provider is inaccessible, the management components should be available locally on every enforcement point.

There must be a central, authoritative system of record for assets like policies. Think of it as a library storing the laws of the land; the police can refer to it, although certainly not on every call.

You must have loose coupling between the enforcement points and the repository. Enforcement points must not be tightly bound to central repositories because of cloud latency and reliability issues.

Ensure central authorisation, but deploy it globally. Policy will move with your customers' applications into the cloud. Local differences, such as time zones, IP addresses, SLAs, and the like, must be mapped automatically during provisioning. This can be challenging, as policy itself is often riddled with unanticipated dependency.

Offer a global view of the application network. Users need an application-centric management and monitoring system. It must accommodate the subtleties of application protocols to provide an actionable view of problems as they happen.

The mechanics of governance always come down to complex details in security policy. It is through policy that you manage, adapt, and control all communications between services. So richly expressive policy language will facilitate the management of any situation.

Apply lessons learnt in SOA to the cloud. Think of cloud governance as evolved SOA governance. Any cloud governance solution should be as applicable to traditional SOA as it is to the cloud, in my view.

And if a vendor is serious about the cloud, a cloud governance offering should make use of cloud services.

Policy enforcement and monitoring are fundamental to SOA and cloud governance. Providers can deploy a single entity, the virtual Policy Enforcement Point (PEP), to accomplish both tasks.

Cloud policy enforcement technology can create secure, managed communications between legacy applications in the enterprise and applications in the cloud. Policy is not just a way of articulating and enforcing security requirements; it is the integration glue between systems.

A rich policy language meets the demands of business and IT, offering high-level contracts like SLAs and billing as well as low-level details like dynamic routing, failover and data transformation.

Virtualised, distributed policy enforcement points in front of cloud applications allow organisations to protect and manage their services. Application-level policy enforcement gives fine-grained access control and in-depth understanding of actual services use patterns, instead of virtual machines.

Not only does this protect data and applications from unauthorised use, it ensures that the distribution of requests to virtualised application instances is properly managed.

Governance, whether applied to the corporate, IT, SOA or cloud space, is about vision, oversight and control within a domain. Much governance is about people working within a process – it is behavioural, rather than a product.

However, technology plays a critical role as an enablement tool to control, monitor, and adapt, so examine closely the customer's technology and processes.

Scott Morrison is CTO and chief architect of Layer 7 Technologies