Tuesday, August 2, 2011

Enterprise Cloud Governance: Policies and Metamodels


The LawJames Urquhart wrote a good piece for CNET yesterday, titled Regulation, Automation, and Cloud Computing. In it, James comments on a blog by Chris Hoff discussing some of the downsides to automation. Originally, Chris had pointed out that heavily automated environments don’t leave a lot of room for human intervention when things go wrong and rapid automatic response can actually lead to cascading failure when the world fails in a way that was not expected by the automation creator. James then made the point that automation also interacts with the legal and regulatory spheres. James says:
If we are changing the very configuration of our applications–including location, vendors supplying service, even security technologies applied to our requirements–how the heck are we going to assure that we don’t start breaking laws or running afoul of our compliance agreements?
 
It wouldn’t be such a big deal if we could just build the law and compliance regulations into our automated environment, but I want you to stop and think about that for a second. Not only do laws and regulations change on an almost daily basis (though any given law or regulation might change occasionally), but there are so many of them that it is difficult to know which rules to apply to which systems for any given action.
 
In fact, I long ago figured out that we will never codify into automation the laws required to keep IT systems legal and compliant. Not all of them, anyway. This is precisely because humanity has built a huge (and highly paid) professional class to test and stretch the boundaries of those same rules every day: the legal profession.
Chris is right.
James is right insofar as he identifies the problem and then says that it’s impossible to codify every single law and regulation into the automation system.
But, while we can’t codify everything, that also isn’t an argument to avoid codifyinganything.
The basic problem is that with cloud, we’re no longer building control systems strictly for IT operations personnel. I believe that the whole BIG IDEA with clouds is that we can decentralize and democratize the control systems that drive IT resources. Right now, the IT department controls all IT systems. You want something done? You talk to IT. If and when IT can get around to it, you might get what you want. And ultimately, that’s a slow, inefficient way to run a railroad. There are many ideas that business units have that simply can’t be executed on because the amount of time and energy spent trying to get IT to deliver the right resources is too high. But with that slow inefficiency also comes a control point such that we can enforce enterprise governance requirements. Today, there are enough human review and approval processes in place to put the brakes on most ill-conceived ideas that would violate laws or regulations.
With cloud, however, we have the opportunity to make IT completely self-service. And that’s wonderful for creating increased business value because it means that business units no longer have to beg and plead with the IT department to execute on projects that are important to the business. Rather, the business can make use of self-service resources to do whatever they need. By cutting out the IT middleman from the daily requests, the speed of the solution delivery lifecycle (SDLC) increases, and, if the business is doing its job, so does business value creation.
The challenge with the self-service model is not technical. We can build all the automated systems to execute a self-service model fairly easily, and there are many examples. The big problem with self-service is governance.
If you’re running a large, multinational financial institution of the kind that ServiceMesh deals with every day, is it reasonable to expect every business-unit developer or mid-level manager in the USA to understand all the laws governing financial information in Germany or Hong Kong? Do users and developers in London understand the laws and regulations in Tokyo? The answer is most assuredly not. But with a single click, we could move a workload or dataset across the planet, violating the laws of multiple jurisdictions at the same time.
So, James says that it’s unreasonable to expect to codify the legal system into our automation systems. But it’s equally as unreasonable to expect non-lawyers (and frankly even lawyers) to understand the legal and regulatory posture of a company across all its geographies. So, what can we do?
Do we really have to achieve 100% fidelity between automated infrastructure and a constantly changing legal structure. And if we can’t, does that mean that any attempt at control is inevitably fruitless and should not even be attempted?
I don’t believe so. The ServiceMesh Agility Platform was constructed with a very richpolicy management system that goes far beyond simple user-based or role-based access control to individual resources. The Agility Platform policy management system was created to allow layering of possibly multiple conflicting policies, created by a diverse group of governance people. The policies are sorted out, prioritized, and the right things happen. The policy management system operates on a customizable meta-model which allows every high-level object type within the Agility Platform (applications, stacks, scripts, clouds, etc.) to be tagged with attributes that can then be inspected as part of policy decisions.
Thus, we can create policies as rich as something like, “Bob is allowed to deploy workload X into Cloud Y. But because X requires SSAE 16 (the follow-on to SAS 70), X can only be deployed into datacenter Z, which has SSAE 16 certification. And all network traffic to and from the workload must be encrypted. And all storage must be encrypted. And only into the non-production environment. And only on Tuesday.” And even more complex than that. Or a lot simpler than that. If you want, you can just specify that Bob is only allowed to deploy things in Cloud A and be done with it.
In short, almost anything can be expressed in the Agility Platform policy system — it’s that rich. And that’s critically important when, as James says, you’re trying to track the whims of lawyers across the world.
Agility Platform policy editorIt’s another matter keeping all those policies up to date, however. James points out that the laws are constantly changing. That’s one reason it would be foolish to hard-code them into the automation system itself, whether that’s a standard management system, a low-level run-book automation oriented orchestration package, or a Perl script. With the Agility Platform, we made policies stackable and easily editable by mere mortals (AKA governance and compliance personnel) with a WYSIWYG graphical editor, rather than relying on coders. This means that the job of creating and maintaining policies can be delegated and distributed to those people who are in the best position to implement them. Policies are then checked at the appropriate times by the platform, automatically.
Is this a perfect solution? No. James is right in that the problem is hard and I can’t conceive of a 100% solution. We still rely on humans to codify laws and regulations and those must be kept up to date and applied correctly. But we’re not creating a brittle, completely unmaintainable system where the policies are “baked into” our scripting. We have a system where policies are stacked and interact correctly. In short, it’s built to scale and about as clean of a system that I can imagine.

Friday, July 22, 2011

Focus on Architecture First Before Moving to the Cloud

“The point of enterprise architecture is to look beyond the silos and create a blueprint for the business’ big-picture strategy.” Read more.

Friday, July 15, 2011

These guys are cool in the cloud

I just published a blog from the web site talking about a speaking op they gave at Cloud Expo NYC. Other Meshians might find it interesting, particularly if you have customer-facing roles. The blog links to the Cloud Expo presentation which was video taped.

Blog: http://www.servicemesh.com/posts/searching-for-the-big-win/
External link to the video: http://downloads.sys-con.com/download/wc_cc11e_servicemesh

VMware price war

Folks, as some of you probably know by now, VMware changed its pricing structure for vSphere 5 earlier this week. Whether a given customer is affected or not, this would be a good time to highlight the fact that ServiceMesh Agility Platform can help customers create contestability to in turn help isolate them from some of these changes. The cloud market (whatever that means) has a lot of evolution to go through and more of these shocks are certainly going to happen in the future. Agility Platform customers, while not totally immune to anything, will certainly be able to weather the storms better than those who bought into all-VMware or all-any-other-large-vendor solutions.

I just drafted a blog to describe some of the strategic thinking here and highlight this. Feel free to call your customer's attention to this:
http://www.servicemesh.com/posts/word-of-the-day-contestability

Friday, July 8, 2011

7 Self-Inflicted Wounds Of Cloud Computing

Don't let poor planning and half-hearted decisions doom your promising cloud projects.

By Charles Babcock InformationWeek
July 06, 2011 01:30 PM

Anthony Skipper at ServiceMesh assembled a comprehensive list of the common holes in companies' approach to cloud computing for his presentation at Cloud Expo in New York in June.
Skipper is VP of infrastructure and security at ServiceMesh, a supplier of IT service management and lifecycle governance. His presentation was titled, "Cloud Scar Tissue: Real World Implementation Lessons Learned From Early Adopters." It was also cited by cloud blogger Andrew Chapman.
Read more of the story here:

Saturday, June 11, 2011

“What planning is needed for initial cloud projects?” – Q&A from the Trenches Series

rganizations typically conduct a lot of research on cloud providers and enabling technologies before making the decision to embark on their first cloud project. However, sometimes this extensive research and vendor selection effort gets confused with the actual project planning required for success of that initial cloud project.
After the decision is made to move forward with a cloud initiative, sometimes the urge to get our “stuff” on the cloud quickly is hard to resist. There hasn’t been a time in recent memory with more opportunity for IT but, with great opportunity comes great risk! We’ve all heard the saying that goes something like “automate a bad process and make bad stuff happen more quickly”. Cloud brings a myriad set of options for improving how your enterprise utilizes IT and executes its business objectives, but implementing it without sufficient upfront planning can bring serious risk and bring it very quickly.
Some of the biggest gaps I see in cloud project planning occur in the areas of Security, Policy and Governance. These are important considerations everyone should include in the review and planning portion of any project, before moving applications and workloads on to a cloud.
First let me say that I’m not an expert in security, policy or governance. If I have to be classified as an expert, it’s on the ownership and management characteristics of IT infrastructure. So, I’m not going to give you a detailed technical strategy for implementing your security or policy framework. Rather I’m going to focus on the planning and “ownership” point of view, both of which encompass having a clear set of goals and objectives for its implementation, management, and lifecycle.
Security: Planning here should include a well understood set of security requirements and usage characteristics for the project:
Who uses it?
Where and how will data be stored, shared, backed up, etc.?
Who will be supporting it?
What are the individual roles required?
Will it be a private cloud, hybrid cloud, or public cloud?
What are the characteristics of the network?
What experience does your internal network team have with cloud or highly virtualized environments? What are the current skill gaps & where can you get help?
What tools do you already have? Have you compared them against newer products/services on the market that are focused on security in a cloud?
Do your tools allow for automated policy enforcement on new instances?
What type of reporting and auditing will you have?
What about identity management? Is it integrated with your cloud management platform?
What are the partner requirements? Do you have the right partners, with appropriate experience? Should you audit current and proposed service providers? Have you evaluated team skills to identify gaps and training opportunities?
Where and how has security been factored in to your business continuity planning? Security, like an earthquake or a hardware failure, can be a threat to your availability. As such, your security strategy should match enterprise objectives for availability.
Governance and Policy: This includes governing how an instance is created, why it’s created, by whom, and under what restrictions it operates.
Governance and approval work flows should be well understood.
Document and enforce regulations/restrictions regarding data availability, storage location, and performance.
Establish a governance lifecycle that includes the creation and enforcement of policies for cloud workloads as they are planned, built, shared, and deployed.
Where will your instances reside and under what context or situations while they be put there or moved?
What is the performance criteria to determine right placement of workloads?
Define role-based access to assets and environments.
Ensure that automated approaches to scale, distribution and shutdown encompass enterprise policy controls.
What are the guidelines for allowing scale? How is scale approved?
How are Business Critical priorities mapped against threshold limitations
Change management strategy.
Roles and ownership
Who’s responsible for the delivery of cloud services
Who’s responsible for the cloud environment?
Are all the roles well defined?
Many times, the most valuable time spent on a project is the time spent during planning. Moving to cloud is no different. Make your move in a well-planned and controlled fashion so you can more rapidly benefit from new services, while not putting your team or the enterprise at risk.

Wednesday, June 8, 2011

Live From NY it's Cloud Expo 2011!

WOW sorry folks i have not kept this site up and running properly I thought everything was feeding and wow what a suprise i got yesterday when I was told it was not...bad me I am sorry.

Well Cloud Expo 2011 is at the big J in NY.  great time seeing everyone and looking forward to day 3 today.  See you their for @andimann at 9am and @servicemesh at 135 for sure the rest of the time i will be speaking, meeting and taking in all the information i can to assist you the buyers...


After a jam-packed Cloud Tuesday here in New York, Cloud Wednesday now begins!

Cloud Expo New York presents just as full a program today as it did yesterday, perhaps even more so. Which I why I'm sending you this note to encourage you to plan your choices carefully amid the myriad sessions and activities going on at on Day Three.

Welcome too to all those who are at the Javits to enjoy the RightScale User Conference, which is also in full swing all day today.

Registration to the Largest Cloud Computing Event in the World, and to the User Conference,.is open from 7:00AM here at the Javits, at the North side of the building. Come early and avoid those inevitable last-minute lines!
 Show Daily Sponsored By:
Join Epic: smart, motivated, and principled people working to make an impact on healthcare. We build software that works — the stakes are too high to do it any other way.

You will make an impact on our company and our customers within months – or even days – and push the limits to be at the leading edge of software design.
8:15AM

We begin with a round of technical sessions this morning, so you have a choice from seven different sessions across seven different tracks. There is also our signature Cloud Computing Bootcamp, led by our 2011 Bootcamp Instructor Larry Carvalho. (Bootcamp is located in the large room under the escalator, as it were - 1A03.)


9:05AM

In the main keynote room, join the ever-popular Andi Mann, of CA Technologies, for a General Session in which he will be advocating that you "Follow YOUR Path to Cloud Computing" - Should you take an evolutionary path and transform your existing IT environment to a cloud of service computing…or do you jump to the “head of the cloud”, and revolutionize your approach with a comprehensive cloud solution…or both?


9:45AM

Abiquo CEO Pete Malcolm then gives today's Morning Keynote. His theme: "Ops or Apps - Who Will Own the Data Center of Tomorrow?" - Until recently, he will be telling us, Apps have been at the mercy of IT Operations to feed their need. However, with the advent of public cloud offerings, Apps can bypass Ops entirely and get the resources they need with just a few clicks and a credit card. So what's next?


10:30AM

Our booming Expo Floor opens, along with the Demo Theater, SYS-CON.TV live interviews, and the largest collection of Cloud solutions and services providers ever yet gathered in one place at one time. Enjoy!

11:45AM

John Engates, CTO of Rackspace, puts open source in the spotlight when he gives a General Session in the main keynote room on "The Inevitability of an Open Cloud"

12:30PM

For our full Conference Golden Pass holders, Luncheon is Served! Cloud Expo luncheons are legendary - pace yourself, there is a lot of food! :)
 Show Daily Sponsored By:
Wednesday,  June 8, 2:30 PM  RightScale User Conference, Multi-Cloud Track

Enterprise-Ready Private and Hybrid Cloud Computing Today, Dr. Rich Wolski - Founder and CTO, Eucalyptus

Learn about the use of Eucalyptus, Amazon Web Services,  and the RightScale Cloud Management Platform to build enterprise-grade hybrid cloud computing environments while effectively automating and managing this ensemble of technologies.
12:45PM

For those who like fast-moving content with the lunch we have a CEO Power Panel in the main keynote room. The question to be discussed, by some of the sharpest minds in the industry (if you ignore me for a moment, hehe!): "Enterprise-Level Cloud Computing: Far-Off Dream or Present Reality?"

1:35PM

In the first post-lunch General Session, Dave Roberts from ServiceMesh will be outlining what he calls "The Big Win" - put another way, he'll be telling delegates to "Stop Playing Small-Ball with Your Cloud Strategy." He'll offer some great perspectives on how leading enterprise cloud adopters are swinging for the fences and running up the score.

2:25PM-4:00PM  Technical Breakout Sessions

Again, remember, technical sessions will be taking place simultaneously on all seven tracks, with some great sessions to choose from - you will receive a handy Daily Schedule as you register.

4:00PM  EXPO FLOOR RE-OPENS
- complete with afternoon snack break!

5:35 PM

The final two rounds of technical breakout sessions round off the day. As ever at CloudExpo, there are great sessions right up to the last minute.

Enjoy Day Three of the show. Remember to tag it as #CloudExpo in your tweets. Enjoy your "Cloud Wednesday" in scorching hot New York City!

Jeremy Geelan
Conference Chair
 Show Daily Sponsored By:

We are providers of customized software solutions aiming Enterprise Application Integration (EAI) and Data Integration, building software
GUIs and SOA-bridges in the Cloud/Distributed Computing scenarios for better usability of the data that otherwise would lie in the corporate silos. Working closely with our customers, we develop practical and right strategy for Data Integration and building Corporate and Market Intelligence, positioning them for better Return on Investment (ROI).
The key to succeeding in current market is by gaining wisdom from analyzing and generating models from existing Corporate Data. These models help companies in strengthening Research, Forecasting and Planning to state a few. For the Pharmaceutical industry, it helps identify the possible Drugs in the Compound Stage and will be helpful in targeting potential drug ingredients in early Discovery Stage. The use of data for Statistical Modeling can also be taken up in the pre-Clinical and Clinical Trials. In the Financial and Marketing industry, it can be applied to do some forecasting on Market Predictors and Market Behavior to plan the Long and short positions, hedging the risk through right options strategies. For the HealthCare industry, the modeling and intelligence can help Hospitals, Government Bodies plan for various disease control strategies and medicinal supplies and treatment plans and potential cost involved for such strategies. We are also planning to bring in software products into market for such industries.
In Data Exchange scenarios such as a B2B Exchange with other business entities and Regulatory Bodies), we specialize in converting the data into standardized format based on Information Exchange Standards/Guidelines offered to us by various International Standards Groups.