As enterprises move from using cloud services for Infrastructure as a Service to more business-critical uses involving core platforms and applications, enforcing governance in a holistic way becomes vital to risk management and the confidence of end-user organizations. Because applications sit at the top of the IT value stack, and more often than not are the face of IT to the business, ensuring appropriate governance at this level requires consideration of not just IT infrastructure but the broader context and environment of the application itself.
Providers should be concerned about users' unanswered questions on cloud governance, as they can significantly impact cloud adoption. Therefore, it's important to discuss a few best practices for converting an organization's rules and rights for usage of IT resources into cloud governance policies. This includes how providers can help customers ensure that cloud resources are properly accessed, provisioned, secured, operated and monitored to guarantee security and compliance.
Although this guidance is applicable to enterprises establishing their private clouds, cloud providers offering external services and hybrid cloud implementations also have a role here in providing a platform that enables customers to dictate these levels of control.
Convert rules and rights into application-centric policies
However simple the underlying IT infrastructure, deploying and managing applications and platforms requires a broad range of policies focused on specific applications. An enterprise-grade cloud governance model should be implemented with the following policy types:
- User/group access: Control access to cloud services, including role-based access controls and federated identity management.
- Asset entitlement: Limit user access to specific assets types, such as stacks, scripts, templates and topologies.
- Deployment: Limit deployment of workloads and data to authorized environments based on a wide range of policies (PCI, HIPAA, localization policies, geographic constraints and other governance and security mandates).
- Orchestration: Apply multiple layers of policies across assets and services in order to enforce configuration management standards and Standard Operating Environments (SOEs).
- Service-level agreement: Dynamically scale up and scale down application and platform topologies based on compound auto-scaling rules and performance threshholds.
- Security: Enforce security zone compliance through policies that orchestrate host- and hypervisor-based firewalls, antivirus software, host intrusion detection systems (HIDS), virtual networking, data encryption and other security tools.
- Lifecycle event: Enforce policies at various lifecycle events, such as startup, shutdown and system development life cycle (SDLC) code promotion.
- Backup and failover: Enforce high availability and disaster recovery policies.
- Resource constraint: Limit the maximum number of instances deployed.
- Lease and scheduling: Limit the duration and scheduling of instances deployed.
- Chargeback/metering: Limit resource consumption and meter consumption based on customizable pricing models.
- Dynamic policies: Monitor event streams from workloads and third-party systems and perform compound event correlations to execute predefined policies and actions when threshholds are exceeded.
Ensure cloud governance policies remain in sync with diverse, changing requirements
Let's face it: Corporate governance can be capricious. New regulatory requirements, changing internal standards, entry into new markets or geographies, and other marketplace shifts force frequent changes that make governing cloud tricky. An extensible policy framework that allows IT to rapidly customize policies to address a broad range of current and future business needs is essential. The ability to create and enforce an unlimited range of custom policies is possible through a policy engine with an extensible meta model. This will allow the customer or provider to create new attributes that policies can reference to make decisions. For example, new meta model extensions could include the definition of a new security zone that would be enforced across a class of cloud workloads through their deployment policies. Such a definition would ensure that the workloads adhere to the regulatory constraint.
Cloud-based IT operating models are a fresh, transformative approach to delivering IT services for most customers. As a result, the power and range of capabilities that cloud governance controls provide can be difficult to grasp. In general, the overriding theme of cloud governance policies is to provide self-service, on-demand access to IT resources directly to the end users that need them and allow those IT resources to respond automatically to changes in demand or their environment. Governance policies can be collaboratively developed not only by different stakeholders within an enterprise, but also by cloud service providers to govern and control consumption of their own IT resources.
Here are a few policy-based governance scenarios to better illustrate the usefulness of these policies.
- Enforce provisioning constraint policies for diverse teams, projects and workloads. For example, the marketing project is approved to deploy in the Amazon EC2 public cloud, but the German development team must only deploy to localized European Union-based clouds and the payment-processing team can only deploy to PCI-compliant clouds.
- Enforce IT resource limits on project teams or individuals based on instance lease, schedule or quantity. For instance, an employee on the application-development team could be limited to a maximum of two instances in the private cloud. Maybe Hadoop projects can only be deployed between 7 p.m. and 5 a.m. on weekdays. Perhaps the outsourced user-interface (UI) team only gets a 90-day lease in Amazon EC2 for all their instances, after which they are automatically decommissioned.
- Enforce dynamic policies that respond to intrusion attempts and/or compromised instances. For example, an event correlation could consist of 1) a host intrusion detection system sending an alert of type "critical" for instances in a public cloud, combined with 2) a high outbound traffic threshold which is exceeded and 3) high CPU utilization rate, which results in a policy that releases the instance and redeploys a new one automatically in a secure private cloud.
Cloud adoption is accelerating, and many organizations are looking to get ahead of the governance challenge. Customers are looking to rapidly roll out fully governed portfolios of cloud-based services that deliver the agility software developers and business users need while controlling costs and ensuring compliance. Enterprises require an extensible, policy-driven control point for cloud governance that is capable of enforcing an unlimited range of custom policies to address changing business needs. With the right cloud management platform, providers can offer a much-needed control point for governance, compliance and security across private and public cloud initiatives and help transition IT to a cloud-based operating model.
About the author:
Derick Townsend is vice president of product marketing for ServiceMesh, which sells a cloud-based management platform for governance, orchestration, security and lifecycle management of enterprise cloud platforms and applications. The company is based in Santa Monica, Calif.
With nearly 20 years of experience across a wide range of high tech products and services, Townsend previously led marketing for several enterprise software startups, including iTKO (acquired by CA Technologies) and Webify (acquired by IBM). While at IBM, he was responsible for business process management marketing and messaging across IBM's software group. He also held key sales, marketing and technical roles in other companies, including United Technologies, Sterling Information Group, Momentum SI and HotLink Inc., which he also co-founded. Townsend holds a master of business administration degree from the University of Texas at Austin and an engineering degree from the University of Arizona.