Wednesday, September 21, 2011

Lack of Cloud Governance: A Potentially Fatal Flaw in Enterprise Cloud Adoption


Many enterprises realize that successful cloud implementations require the adoption of new IT capabilities, such as automated workload management, self-service provisioning, cloud security, and others. Yet, many of these organizations still don’t recognize a critically important challenge they must also address to avoid it becoming a fatal flaw in their efforts to deploy business workloads into the cloud. That fatal flaw is insufficient cloud governance. Even companies experiencing good results with their virtualization management efforts rarely have a solid understanding of cloud governance. That needs to change, because cloud governance ultimately enables many of the core business benefits of cloud adoption.
It’s About Time to Market
The real value of cloud computing is achieved when it can streamline the entire enterprise software development and deployment lifecycle, and dramatically reduce time to market for software projects. The agility that cloud computing creates for IT can then be extended throughout the organization to directly benefit business users. IT will be able to respond more quickly to their needs and deliver new applications and software updates rapidly, which in turn helps them achieve their business goals faster and reduce time to market for their products and services, significantly reducing opportunity costs.
IT-intensive industries and global enterprise are full of examples where IT agility equates directly to market share, revenue growth, and profitability. Examples include traditional insurance carriers that need to quickly roll out the latest policy rate/quote functionality to their websites to avoid hemorrhaging customers to more nimble competitors with a direct sales model; or the global bank that needs to rapidly roll out customized consumer and commercial services in a new geography faster than competitors to grab market share. Regardless of the specific example, it’s clear that business units stuck with slow moving IT organizations delivering in six or nine-month software development lifecycles can be at a huge disadvantage.
Many organizations are starting to recognize that cloud computing can provide self-service access and on-demand deployment of IT resources to increase agility and competitiveness. However, they tend to limit their view of governing these new capabilities in the context of their traditional IT operations, which often consist of partially automated virtual machine provisioning processes along with manual processes still in place for VM configuration and approvals. They may view cloud as a relatively simple extension of these existing IT operations, and believe they are already well positioned to deliver all the significant business benefits of cloud computing to their organizations.
But as cloud computing begins to support more diverse business workloads, the complex relationships among all the stakeholders and types of projects and workloads, along with multi-layered regulatory and cost constraints, create an intricate policy maze. Trying to enforce consistent policies on this complexity with semi-manual processes or inadequate governance tools can jeopardize the benefits of cloud computing we’re seeking in the first place including:
·         Immediate self-service access to cloud services. That is, exposing services to end users to achieve true self-service functionality, which requires automated policies enforcement to prevent unauthorized access, security breaches, and cost overruns.
·         Automatic configuration and scaling of cloud workloads up and down to meet changing demand. This requires the ability to impose policy-defined boundaries and restrictions around elastic scaling behavior to balance performance, costs, and risks.
·         Optimizing the placement of portable cloud workloads and leveraging an organization’s mix of internal private clouds and external private and public clouds. This requires the ability to restrict deployments to satisfy cost, performance, regulatory compliance, or other parameters.

Enforceable Business Policies
In addition to governing core capabilities above, an enterprise solution for cloud governance must be unified across all possible clouds, workloads and all potential end users to deliver consistent and uniform policy enforcement across the enterprise. It must also be extensible and flexible enough to meet the needs of any particular group or department within the organization.
The scope of policy-driven cloud governance includes:
  • Security policies – This includes the ability to have pre-configured, zoned security models for different types of workloads. For example, prohibiting HR data from being stored on external public clouds.
  • Regulatory policies – This includes the ability to impose geographic constraints, such as those required by EU regulations to restrict the storage of personal information about EU citizens outside of the EU. It also includes industry-specific policies, such as the requirement that sensitive personal financial or health-related information be stored only in data centers that meet specific security requirements.
  • Organization-specific policies – This includes an unlimited number and form of specific departmental, business unit, or cost center requirements. For example, a particular cost center may need to rely exclusively on open source solutions because there is no budget allocated for licensed software alternatives. In a self-service environment, this cost center cannot be allowed to choose to have workloads moved onto a virtual machine running licensed software.
In many organizations, the demand for cloud computing is accelerating. One unfortunate consequence is that business units and departments frustrated with the slow response of corporate IT are bypassing them and accessing cloud services directly with their credit cards, resulting in dangerous ungoverned cloud usage and growth. IT organizations need to quickly get ahead of this trend before regulatory compliance and security risks catch up to them, and so they can lead the charge to delivering the full benefits of the cloud for their organization.
The Ideal Cloud Governance Solution
The only way to ensure that cloud adoption takes place with the required level of security, privacy, regulatory compliance, and cost controls is through a powerful policy-driven governance platform with the following characteristics:
  • A policy engine that is flexible enough to support the myriad conditions and attributes across the organization, and that is also easy to use for business analysts who understand the relevant business drivers for these policies and should be directly involved in cloud management and governance efforts.
  • Integration with an organization’s cloud management platform so that the policies created are directly enforceable at the level of the VMs and the workloads provisioned on them.
  • An open platform that is able to connect with other tools and platforms in the enterprise to streamline and automate required activities such as identity management, accounting/chargeback, auditing/reporting, and more.
Cloud adoption is inevitable for large enterprises, and organizations must make a choice. They can allow adoption to occur in an ungoverned environment with policies that are unenforceable—then struggle to clean up the mess after finding themselves with cost, performance, and possibly embarrassing and expensive compliance or security violations. Or, they can get ahead of the problem and immediately begin rolling out fully governed cloud-based services that deliver the agility that software developers and business users need while controlling costs and ensuring compliance.