by Derick Townsend
There’s a fundamental blind spot many organizations experience when adopting clouds. This blind spot is the failure to properly govern the people, processes and management systems that deploy applications and data to the cloud. The impact goes well beyond basic risk management, and actually extends into successful cloud adoption and realizing the full cost and agility benefits from cloud initiatives.
Cloud Risks at your Doorstep
For many business units, the desire to rush into the cloud seems irresistible, and publicly available, credit card-accessible cloud services add fuel to this fire. However, reckless on-ramping to cloud computing doesn’t sit well with corporate IT. IT managers know there are very real and dangerous consequences when data gets exposed, services go down, regulations get violated, backup plans are overlooked and a myriad of other IT safeguards get ignored. Insufficient control over who can provision a workload to the cloud, where it can be deployed, for how long and at what cost or capacity is a recipe for disaster.
Corporate IT groups often discover rogue cloud usage behavior after the fact, in part because they haven’t had the tools to proactively enforce cloud usage policies in the first place. Instead, they find out too late – after ballooning Amazon EC2 costs catch someone’s attention, or when a business unit finally approaches IT to help renegotiate a SLA – but with a cloud provider they’ve never heard of. Regardless of how corporate IT becomes aware of the problem, their typical response sets up the first common governance pitfall.
Risk Adverse Reactions to Cloud
When corporate IT begins defining the requirements for governing and managing cloud resources, they usually define the requirements too narrowly. In fact, they usually start by defining and automating cloud control systems within the context of their own IT operations personnel, and then extend existing manual management processes out to the business units.
That misses the point, however. The whole idea of cloud computing is to make IT more agile and responsive to the business, and attempts to retain manual processes with incremental automation on the backend are insufficient. Ultimately, those business units will continue to go rogue and seek more self-service and responsive external cloud services if they better meet their needs. When that happens, all you’ve done is miss your opportunity to get ahead and gain control of the cloud adoption train before it picks up more speed.
Extending Governance out to the Business Units
Instead of making this mistake, work to provide automated governance solutions that extend all the way out to the business unit. This means empowering business units with IT resources on a true self-service basis, and providing end-to-end automation to make IT as “frictionless” as possible between end users and the IT resources they’ve been entitled to receive.
It’s important to note that providing self-service access to IT resources is not the biggest challenge. There are several ways to build a self-service portal to access IT resources. The real challenge lies in marrying self-service access with appropriate levels of automated governance so you can achieve end-to-end automation with appropriate safeguards. When you successfully accomplish this, you make not just big gains in IT efficiency but also provide the speed and convenience to drive broader business unit adoption. And once the larger enterprise is using your managed and governed platform to access cloud services, you can significantly reduce the risk of rogue behavior, not to mention a wealth of other benefits including greater economies of scale and increased leverage over vendors and service providers.
Automating Governance Controls
What’s the best way to scale up and enforce cloud governance without negatively impacting end user productivity? The answer is automated policy-driven governance, which allows you to rapidly customize policies and enforce them using fine grain controls.
Unfortunately, IT organizations starting on their cloud journey often make the mistake of assuming that cloud governance requirements will remain simplistic, such as basic role-based access to services, for example: Jane Smith has the right to deploy workloads to this VMware-based private cloud.
It sounds simple and it might work fine within a trusted IT operations group. However, once you expand to the broader enterprise, your cloud governance needs get complicated very quickly due to the many-to-many relationships between workloads, user groups, deployment environments, departmental usage policies, industry regulations, geographic restrictions and so on. Eventually, you’ll have to implement policies such as this:
Developers from departmental cost
center XYZ have rights to deploy only open source-based IaaS and PaaS to internal
or external cloud environments with security zones classified as “Managed” in
clouds geographically located in the UK.
Only customizable and extensible policies will let you efficiently govern and control these complex interrelationships. These governance needs already exist in the enterprise today, and the best response to rogue behavior and the availability of public cloud alternatives is to have the appropriate policy and governance controls available to cover your bases early.
Avoiding Islands of Governance
Once you’ve captured and codified policy controls, how do you ensure consistent enforcement across different deployment environments, geographies, user groups and workload types? To start, don’t make the mistake of focusing implementation solely on a single cloud provider or cloud implementation technology. Large enterprises are going to develop diverse hybrid cloud strategies, and you don’t want to create fragmented islands of governance.
To achieve enterprise-wide consistency, you need policies integrated with a cloud management platform that supports all the various cloud service providers and underlying cloud implementation technologies used by the enterprise. Beyond the benefits of consistent policy enforcement, you’ll also want to leverage those policies to help you optimize the placement of your workloads, such as shifting workloads onto or between clouds to maximize your economic benefits and performance.
Since you may already have some virtualization and provisioning technologies in place, and your organization’s cloud services and technologies will very likely change over time, it’s important to select an integrated cloud governance and management platform that supports a broad vendor ecosystem and has a pluggable architecture to easily integrate new technologies.
Governing Across a Lifecycle
Policies don’t exist in a vacuum. They get changed, interpreted and approved by different stakeholders and fail to appear magically when developers need them. As a result, you’ll need an efficient framework to create, approve and manage these policies over time.
Policies are created and managed best in the context of a lifecycle. For example, a business analyst with expertise in HIPAA or PCI compliance may create the policies regarding data storage during an application’s planning stage. Later, business unit stakeholders with specific SLA knowledge for the application can assign performance policies during the design stage. IT operations stakeholders may create the policies regarding resource availability and monitoring when the application is deployed. As various teams such as development and QA work on the application, its configuration and deployment in the cloud is predetermined by these policies, which remain transparent to these users.
To make this work, you need a governance and management lifecycle that spans all the various cloud workload stages. This includes policy management and approval frameworks to efficiently federate governance and policy responsibilities across groups. Planning ahead to integrate policy creation and enforcement across the lifecycle of your cloud project does more than just lower risk. It also provides another time-to-market advantage beyond simple workload provisioning speed to make IT projects more responsive to changing business needs.
Think Governance Early
It’s much easier to implement cloud governance controls while enterprise adoption is in the early stages. Recognize the scope and importance of governance for cloud, and don’t allow separate islands of governance to evolve. Extend policy-driven governance all the way out to the business units, and strive for consistency across the enterprise. Be ready to design governance into your cloud initiatives early, and you’ll avoid major risks and pitfalls in the future.
Derick Townsend is the VP of Product Marketing at ServiceMesh (Santa Monica, CA). www.servicemesh.com