6 Comments

Summary:

The high-profile success of services such as Salesforce.com and Amazon Web Services has led many businesses to undertake cloud computing initiatives. Moving to “the cloud,” however, entails a variety of security, management and compliance risks that corporate executives may be unwilling to assume without having the […]

structure_speaker_series The high-profile success of services such as Salesforce.com and Amazon Web Services has led many businesses to undertake cloud computing initiatives. Moving to “the cloud,” however, entails a variety of security, management and compliance risks that corporate executives may be unwilling to assume without having the proper governance mechanisms in place.

When applications and data move out of established corporate locations, they become vulnerable to disclosure, loss or modification. Additionally, the very act of moving sensitive data outside enterprise walls may trigger mandates related to privacy and data integrity that govern the corporation. It is imperative that companies start any cloud initiative with a governance program that ensures the organization will be able to maintain visibility and control of its application assets at all times, regardless of where they may reside. Fortunately, enterprises do not need to reinvent the governance wheel.

It is possible to build cloud governance consistent with the model that has been developed in recent years for the process of governing service-oriented architectures (SOAs). Cloud is simply a deployment and operational model that happens to be very well-suited to host the application services created under an SOA initiative. Cloud governance is the logical heir to SOA governance — it inherits many of the same qualities, but the priorities are a bit different.

In most SOA governance scenarios, management of assets is the first order problem, with enforcement and monitoring coming next. Existing processes and security technologies have often been good enough to manage simple scenarios in traditional, on-premises SOA. In contrast, operating in the cloud entails unique requirements with respect to process and policy.

These demands include the complexity of vendor contracts, expectations surrounding service-level agreements (SLAs), and the increasingly complex regulatory environment. Consequently, cloud governance demands that organizations begin by addressing policy enforcement and monitoring.

Governance — whether corporate, SOA or cloud — is not about technology. It’s about vision, oversight and control within a domain. Before a single application service is deployed into the cloud, organizations would be well-advised to have a governance program in place that ensures assets are managed throughout their lifecycle, services are constantly monitored, and policies are always enforced in accordance with corporate objectives.


Scott
K. Scott Morrison is chief architect of Layer 7 Technologies.

You’re subscribed! If you like, you can update your settings

  1. jasonspalace Monday, May 25, 2009

    i believe ensuring pci compliance should be a must in cloud computing of sensitive data. the minds of technology and governance creators must converge.

  2. Rodrigo Flores Monday, May 25, 2009

    Scott,

    I’m with you that governance is a big topic for cloud computing. It extends beyond SOA. Questions such as:
    * When should an app be on the cloud?
    * How do control requests for services and decide where they best run?
    * What SLA’s do we offer to application teams?
    * What cost structures do we charge back?
    * What are our standards and how do we enforce them?

    The cloud, like any other meaningful infrastructure, needs to be supported by a new set of processes and tools in order to gain mainstream enterprise acceptance.

    Regards,

    Rodrigo Flores, CTO
    newScale, Inc.
    http:/www.cloudfrontoffice.com (blog)

  3. David Deans @ BTR Tuesday, May 26, 2009

    Scott, perhaps the security, management and compliance risk that you describe has been addressed by those organizations that have already embraced the managed and hosted services model — in some cases, as long as two decades ago when they were early-adopters.

    While some CIOs apply a comprehensive ITIL methodology that they follow, others have a different approach — but it’s equally capable of providing appropriate governance over the procurement, implementation and ongoing consumption of these secure services.

    Moreover, depending on how risk-adverse an organization is, or the nature of the activity they intend to out-task, there’s a variety of suitable cloud service options to consider. Forrester Research defines three common scenarios, more details here http://bit.ly/1a2M2S

    David Deans
    Business Technology Roundtable

  4. Bernard Manouvrier Friday, May 29, 2009

    I fully agree with Scott’s advice. Moving applications to the cloud raises security, management and compliance issues, and the only way to face them efficiently is to have a very strong governance program addressing policy enforcement and monitoring. Extending SOA governance to the cloud could be the right way. But first, I would like to emphasize, as Scott mentioned, that governance is not a matter of technology—technology can only help make governance efficient. And secondly, when companies have in place a poor (or even a non-existant) governance program inside their boundaries, as is too often the case, how could they intend to move some of their applications to the cloud? I would just tell them to follow Scott’s advice.

    Bernard Manouvrier
    Chief Architect
    Axway

  5. Cloud is simply a deployment and operational model « Service Oriented Architecture School Saturday, May 30, 2009

    [...] 30, 2009 · No Comments SOA Governance Determines Success in the Cloud GigaOm – San Francisco,CA,USA Cloud is simply [...]

  6. You Say You Want a Cloud Revolution Saturday, June 6, 2009

    [...] governance and compliance are probably the most prominent examples, as detailed here, although that is changing [...]

Comments have been disabled for this post