The high-profile success of services such as Salesforce.com and Amazon Web Services has led many businesses to undertake cloud computing initiatives. Moving to “the cloud,” however, entails a variety of security, management and compliance risks that corporate executives may be unwilling to assume without having the proper governance mechanisms in place.
When applications and data move out of established corporate locations, they become vulnerable to disclosure, loss or modification. Additionally, the very act of moving sensitive data outside enterprise walls may trigger mandates related to privacy and data integrity that govern the corporation. It is imperative that companies start any cloud initiative with a governance program that ensures the organization will be able to maintain visibility and control of its application assets at all times, regardless of where they may reside. Fortunately, enterprises do not need to reinvent the governance wheel.
It is possible to build cloud governance consistent with the model that has been developed in recent years for the process of governing service-oriented architectures (SOAs). Cloud is simply a deployment and operational model that happens to be very well-suited to host the application services created under an SOA initiative. Cloud governance is the logical heir to SOA governance — it inherits many of the same qualities, but the priorities are a bit different.
In most SOA governance scenarios, management of assets is the first order problem, with enforcement and monitoring coming next. Existing processes and security technologies have often been good enough to manage simple scenarios in traditional, on-premises SOA. In contrast, operating in the cloud entails unique requirements with respect to process and policy.
These demands include the complexity of vendor contracts, expectations surrounding service-level agreements (SLAs), and the increasingly complex regulatory environment. Consequently, cloud governance demands that organizations begin by addressing policy enforcement and monitoring.
Governance — whether corporate, SOA or cloud — is not about technology. It’s about vision, oversight and control within a domain. Before a single application service is deployed into the cloud, organizations would be well-advised to have a governance program in place that ensures assets are managed throughout their lifecycle, services are constantly monitored, and policies are always enforced in accordance with corporate objectives.
K. Scott Morrison is chief architect of Layer 7 Technologies.