Steer Safely into the Clouds by Layer7Tech

VIEWS: 38 PAGES: 15

									Steer Safely into the Clouds
Why you must have Cloud Governance before you move your apps




                            Layer 7 Technologies

                White Paper
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps


Contents

Introduction .................................................................................................................................................. 3
Cloud is Inevitable ......................................................................................................................................... 3
   The Cloud Enablers ................................................................................................................................... 4
       Quick In/Quick Out................................................................................................................................ 4

       The Disruptive Grassroots Revolution .................................................................................................. 4

   Cloud Control ............................................................................................................................................ 5
   SOA in Clouds ............................................................................................................................................ 5
   Governance in SOA Forecasts Governance in the Cloud .......................................................................... 5
Cloud Governance Makes Clouds Safe ......................................................................................................... 6
   What is Cloud Governance?...................................................................................................................... 6
   How Does Cloud Governance Help Me? ................................................................................................... 7
       Policy Enforcement on Outgoing Traffic ............................................................................................... 8

       Policy Enforcement on Incoming Traffic ............................................................................................... 8

       Policy Enforcement on Cloud Services .................................................................................................. 9

   Ten Things to Look For in a Cloud Governance Solution .......................................................................... 9
Conclusions ................................................................................................................................................. 10
Appendix A - A Methodology for Cloud Governance.................................................................................. 11
   Cloud Evaluation Phase ........................................................................................................................... 11
   Cloud Governance Definition Phase ....................................................................................................... 11
   Cloud Governance Execution Phase ....................................................................................................... 13
   Operational and Review Phase ............................................................................................................... 14
About Layer 7 Technologies ........................................................................................................................ 15
Contact Layer 7 Technologies ..................................................................................................................... 15
Legal Information ........................................................................................................................................ 15




            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.                                2
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps



Introduction
Cloud computing is a dilemma for today’s CIO. The potential to cut capital expenditure and reign in operating costs
is so compelling that the business will push aggressively for cloud adoption. Each of the components of cloud
computing—Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS)—
offer a bulletproof economic argument that is irresistible to any CFO, CTO, or your CEO. Brought together, they
offer a promise of tangible savings and flexibility that is unprecedented in the history of computing.

But you know that money isn’t the only issue. Cloud introduces new security risks and compromises the traditional
control of IT. When data begins to move out of established corporate silos, it is vulnerable to disclosure, loss or
modification. The very act of moving sensitive data outside enterprise walls may violate national regulations for
privacy and audit that govern the corporation. As data flows through different jurisdictions in a cloud spanning the
globe, it may become subject to international controls that impede business.

When applications leave the data center, IT looses visibility and surrenders control. The once local, centralized,
manageable IT infrastructure goes global, subject to dubious SLAs and reliant on a continually shifting alliance of
partners. The shift in focus from managing infrastructure to managing applications is disruptive to any IT
organization. It challenges roles, ownership, and procedure.

These concerns haunt IT management. They introduce a justifiable unease that counters the high profile success of
cloud services such as Salesforce.com and Amazon Web Services. This stalls cloud initiatives, and once again, IT
finds itself at odds with business goals.

Fortunately, there is a solution. Cloud governance, which is a logical evolution of your current SOA governance
strategy, offers a means to assert control over both internal and external applications and data. It provides a
unified, application-centric view of your IT throughout the corporate data center and into the cloud. Cloud
governance tears down those barriers of concern erected between traditional IT and the cloud, clearing the way
for secure, managed, and incremental cloud adoption. It relies on proven technology solutions developed over the
last decade inside enterprise networks. It is a logical and justifiable step forward from what you do today.

This paper will prove to IT Management that the widely reported challenges of cloud computing can be met. It
describes a path that will guide the enterprise into the cloud in a controlled and secure manner. Finally, it will
show how even cloud governance can be deployed as a service, lowering the barrier to entry and leveraging
exactly those qualities of cloud architecture that make it so attractive.

Before you deploy a single service into the cloud, you must have a cloud governance program in place.


Cloud is Inevitable
Early cloud adoption was about agility. Startups flocked to the cloud because they could completely bypass
infrastructure acquisition and setup by deploying their applications directly to cloud providers like Joyent, GoGrid,
Google AppEngine, or Amazon Web services. This decreased their time-to-market, gave them the flexibility to
update applications in real time, and bought them the insurance of scalability to meet unanticipated traffic
volumes if their idea captured public imagination. Cost saving was simply a nice side effect.

Agility, however, is difficult to monetize. Everyone wants agility, but few are willing to pay for it; in the end, cost
effectiveness is a much easier sell. As cloud computing matures, there is a gradual shift in priorities taking place
among adopters. The business is starting to recognize that cloud computing represents a transformation in the


         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   3
  Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

  operating model for IT. Budgets dominated by capital expenditures and depreciation are giving way to those built
  on predictable—and indeed, lowered—operating expenses. What is revolutionary about cloud is not the
  technology; it’s the change cloud is making to the economics of IT.

  Within this simple financial equation lies a truth that will make the move to cloud inevitable. The argument is so
  convincing that it will resonate powerfully in the executive suite, and the decision to utilize the cloud will come not
  from IT, but from the business itself. Clearly, to be perceived as in control and delivering real business value, IT
  must be well prepared for this directive when it comes.

  The Cloud Enablers
  The mandate to use cloud services may not come from IT, but IT will be a catalyst for this decision, whether it
  realizes this or not. There are two particular cloud use cases appearing with increasing frequency that business will
  regard as important precedents for justifying a move to cloud infrastructure. It is vital for IT to recognize and
  manage these successfully.

  Quick In/Quick Out
  The New York Times offers the flagship case demonstrating this model. They had a requirement to convert 4TB of
  scans, representing 70 years of articles, into PDF format. The processing requirements were daunting, and
  proceeding using a traditional deployment would have necessitated a significant upfront investment in equipment
  the newspaper would no longer need once the project was complete.

  Instead, they turned to Amazon EC2 cloud services. Using Amazon, the team was able to complete the job in only
  24 hours. In the end, they satisfied the requirement for a fraction of the conventional cost, and left no depreciating
  IT assets behind.

  These short-term, low-risk projects, which demand high volumes of processing power on a temporary basis, are
  excellent candidates for cloud technologies and help the business to build confidence in this new approach.

  The Disruptive Grassroots Revolution
  The other major cloud driver is more subversive and viral. Salesforce.com has been wildly successful because it
                                                                                        marketed directly to a
                           The SaaS Inversion of Control
                                                                                        customer with a pain point:
There is something more subtle happening with SaaS that is worth noting. Big CRM        the salesperson who works
earned a bad reputation by bringing with it integration and customization demands       for an organization without
that easily spiraled out-of-control. The emphasis of traditional CRM is on              dedicated, on-site CRM. For
customizing the application to your data and process. SaaS vendors quietly turned       around $50 per month,
this around, providing just-enough customization and shifting integration               Salesforce offers that
responsibility to you loading data into their application in an open format. What
                                                                                        individual the basic tools they
might appear to be a limitation is actually a secret to its success: it gives customers
what they actually need without leading them into the tar pit of integration costs.     want today—all they need is
                                                                                        their credit card. Once in the
This judicious use of the 80/20 rule is actually a common theme across cloud            door, it spreads easily to
technology. From a feature perspective, infrastructure such as Amazon’s S3, SQS,        coworkers. Management will
and SimpleDB cannot be compared to their conventional enterprise counterparts           soon take notice, and more
(distributed file systems, Message-Oriented Middleware (MOM), and relational            often than not adopt this
databases); however, these offer the important basics everyone needs, and offer         excellent SaaS application
one huge advantage: vast scalability. This evolution of priorities is a defining        company-wide.
characteristic of cloud technology.


           Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
           trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   4
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

This may seem manageable and ultimately beneficial to the company, but other grassroots initiatives may not be
so benign. The very accessibility of cloud services makes these both a great opportunity and a great threat. It is
hard not to be impressed when any staff member, using a web browser and a credit card, can access cloud services
in minutes. This is agile and entrepreneurial. However, the implementation may not be consistent with the
standards you have in place for your business.

Unmanaged cloud adoption will lead to the erosion of data authority and the introduction of unmanaged
dependencies. External services, whether SaaS-based or in-house applications deployed with a cloud provider,
rarely have access to centralized data sources in the enterprise. This leads to data replication on the external
system, creating coherency problems and the destruction of the central, authoritative record.

Reliability is at risk as cloud services become more finely grained and distributed. Applications sprawl across
networks, making use of services that may change or vanish at any time. This lack of formality, control and rigor
undermines the very promise of the cloud.

Cloud Control
The message for IT management is that it must put itself in control of cloud initiatives. The inevitable push to move
to the cloud will come from the business—IT can’t stop this. But IT can ensure that the internal test cases for cloud
are carefully managed and successful, and that these are used not only to justify the widespread adoption of this
technology, but to showcase how it can be done safely, securely, and under centralized control.

SOA in Clouds
It is a common misconception that cloud will replace SOA. Nothing could be further from the truth. Cloud did
knock SOA off its commanding position on the hype scale, but the truth is that we should build cloud applications
consistent with the model that SOA articulates. SOA is an architectural approach; it is a philosophy guiding the
development and management of applications. Cloud is simply a deployment and operational model that happens
to be very well suited to host the services you create under a SOA initiative.

The major cloud players are demonstrating this for us. Salesforce.com began as a monolithic SaaS application.
However, its fundamental components—services that are useful and reusable across a wide range of custom
apps—have been teased out and made available in the company’s Force.com offering. Arguably, even Amazon, the
pioneer of cloud computing, began as a monolithic web application selling books. It then followed up with granular
services that plug into its core, and finally provided the basic building blocks of their application—queuing,
database, storage, elastic computing—as services for hire. This is service-orientation evolving into cloud
computing.

When moving to the cloud, IT needs to recognize that SOA is a crucial part of its effort. Moreover, the secrets of
success in SOA are also the secrets to success in the cloud.

Governance in SOA Forecasts Governance in the Cloud
One of these secrets is governance. The most successful SOA initiatives implement a SOA governance program. By
extension, we can conclude that cloud initiatives require a cloud governance program to make them equally
successful.

What is important to recognize, however, is that with on-premises SOA, governance could be ignored at first, and
retrofitted later. Existing process can hide a multitude of sins. If an organization owned its infrastructure, used
internal staff to manage this, and had a program of basic physical and IT security in place, it could get away with



         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   5
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

delaying its SOA governance program. This does not imply it could ignore governance forever—SOA ultimately
cannot be successful without it—but it does allow reprioritization.

In contrast, the cloud is much less forgiving. In the cloud, your data resides on systems that you don’t control, that
may be in other countries or legal jurisdictions. These systems are unlikely to have the same security standards
that you are accustomed to with your on-premises servers. You need to develop your applications to withstand
internet-scale attacks, just like your front-line web servers. Before you deploy a single cloud service, you must have
a cloud governance program in place.

This is an important inversion point. In cloud, you give up control of networks and systems, leaving you only with
control over applications and services. Your governance program, therefore, must provide the means to control,
monitor, and adapt these services, regardless of whether they reside in an on-premises SOA, or out in a cloud-
based extension to your SOA. This consistency in approach, from existing SOA to cloud SOA, is a basic but
demanding characteristic of cloud governance.


Cloud Governance Makes Clouds Safe
Cloud governance is an evolution of SOA governance, recognizing that the best practice in the cloud is to build on
the solid foundation of existing SOA principles. It refines and extends SOA governance procedure and technology,
making it universally applicable on-premises (in a private cloud, or across an existing SOA), in the public cloud, or
managing a hybrid combination of the two.

You must recognize cloud governance as a first class citizen in cloud deployments—a gating factor that needs to be
in place before you can move to the cloud. Clearly, the process and technology behind it cannot be an impediment.
It must emphasize agility and multi-purpose application without compromising security and manageability of
services.

What is Cloud Governance?
Governance—whether applied to the corporate, IT, SOA, or cloud space—is not about technology. It’s about vision,
oversight, and control within a domain. Much of governance is about people working within a process; it’s
behavioral, rather than a product. However, technology plays a critical role as an enablement tool to control,
monitor, and adapt—the three pillars of any operational governance program—and so this is the focus of this
paper.

Cloud governance recognizes the special challenges organizations face within cloud computing. It extends SOA
governance in several important ways. Process and policy clearly need to adapt to address the exceptional
challenges with each vendor. If anything, cloud governance is uniquely demanding with respect to process and
policy because of complexity of vendor contracts, SLA expectations, and the increasingly complex regulatory
environment—factors that demand a fine balance against agility, cost reduction, and the threat of vendor-lock in.

Technology, too, must change; however, it builds on the basic solutions that already enable SOA governance.
Technology implements process, enforces rules, and monitors environments. In the SOA governance space, these
functions map cleanly into products that provide continuous enforcement of policy, broadly deployed monitoring,
and lifecycle management of SOA assets.

The challenge in moving these into the cloud is that the products must become highly distributed and cloud-
centric. Deployment must be simple, dependable and rapid across the wide variety of cloud infrastructures. They
must operate independently under all conditions, including disconnected from any centralized asset stores and


         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   6
   Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

   monitoring consoles. And they must operate seamlessly across on-premises and off-premises environments,
   including “legacy” enterprise SOA deployments. Cloud governance, therefore, is as relevant in an existing SOA
   installation as it is for a completely new application deployed in Amazon’s cloud center.

   Cloud governance inverts the order of implementation that customers had with SOA governance. In most SOA
   governance engagements, customers believed that management of assets was the first order problem, with
   enforcement and monitoring the second. This often led to early purchases of registry/repository technology that
   saw little practical use because it never integrated well with enforcement and monitoring infrastructure. In
   contrast, cloud governance demands that you address enforcement and monitoring first, and that these solutions
   bring the ability to manage assets natively. Control and visibility are fundamental problems you must overcome
   before following up with tools that automate human process.

   How Does Cloud Governance Help Me?
   Most of the benefits of cloud governance come from the application of technology to the problems with the cloud.
   Exploring how to deploy this technology helps to illustrate the full scope and impact of the solution.


         The virtual Policy Enforcement Point (vPEP): The Foundation of Cloud Governance.

Policy enforcement and monitoring is fundamental to SOA and cloud governance. IT can deploy a single entity, the
virtual Policy Enforcement Point (vPEP), to accomplish both tasks.

The idea of a standalone Policy Enforcement Point is not new; indeed, its use is widespread in most SOA environments.
In traditional SOA, the PEP acts as a gatekeeper and monitor for all service traffic. Common functionality includes:


          Authentication: Interfacing with most identity                   Audit: Collection of information related to
        and access management systems.                                   events and transaction processing on the PEP.

          Authorization: Fine grained authorization                         Alerts or Events: Synchronous or
        management including attribute- and role-based                   asynchronous events raised as a result of
        authorization models.                                            conditions being met on the PEP, such as
                                                                         transaction threshold reached, or memory
                                                                         consumption exceeding a set threshold.

           Confidentiality: Acting as an                                    SLA: Enforcement and/or alerting of various
        encryptor/decryptor for all information streams                  thresholds relevant to business. An example
        (i.e. data and services).                                        might be to redirect traffic to secondary service
                                                                         cluster when the primary is overloaded.

           Integrity: Ensuring communications are not                      Monitoring: Collecting rich data sets
        altered in transit.                                              describing both individual transaction data and
                                                                         aggregate counters, and generation of graphs
                                                                         and reports to summarize these.

          Routing: Directing messages to different                          Adaptation/Transformation: Alteration of
        destinations based on policy decisions.                          the physical data stream in flight. Can be used
                                                                         to provide interface versioning, or to produce
                                                                         entirely new aggregate services that combine
                                                                         results from several individual service calls.
            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   7
   Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps




                                    Policy Enforcement Protects Services

                                          Policy
                                       Decision                                                Service
                                     Point (PEP)                                                Host




                                                                    Policy
                                                                     Policy
                                                                 Enforcement
                                                                 Enforcement
                                                Message
                                                                  Point (PEP)
                                                                  Point (PEP)




These devices were traditionally hardware-based, and deployed in an enterprise network DMZ to manage all XML-
based streams in or out of the organization. New technological developments now allow virtualization of all PEP
functionality so that it can easily be deployed either on-premise in the traditional data center, or externally in the
cloud. The new virtual PEP offers a lightweight deployment model that allows a closer binding to services, following
them through cloud deployment and making localized services governance practical.


   Policy Enforcement on Outgoing Traffic
   Applying policy enforcement to all outgoing traffic in your organization allows you to discover who is attempting to
                                                             use cloud services, and to manage this. You need to know
                                                             when an employee accesses a new SaaS service using their
                                                             credit card; you need to stop an unsanctioned use of PaaS
                                                             components by well-meaning developers; and you need to
                                                             regulate use of IaaS technology.

                                                                       Policy access profiles allow continuous monitoring of
                                                                       authorized cloud service activity, and provide a customer
                                                                       view of usage that is critical to discovering vendor billing
                                                                       discrepancies or identifying SLA violations. Outgoing policy
                                                                       enforcement allows you to measure the value you are
                                                                       deriving from each of your partners, suppliers, and every
                                                                       third-party organizations with whom you engage
                                                                       electronically.

   Policy Enforcement on Incoming Traffic
   The same deployment model is equally appropriate to manage traffic entering the corporate network. Application
   of policy enforcement and monitoring across all incoming traffic provides a secure, managed gateway layer that
   enables safe publication of internal services.

   Consider the following use case. A third-party SaaS application requires access to data locked on a mainframe—
   clearly a system that isn’t moving into the cloud soon. How can IT publish an interface to the mainframe that
   ensures only authorized cloud services can access it, that protects the mainframe from Internet-originating attacks,

            Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
            trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   8
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

                                                                and that audits all access for charge-back purposes and
                                                                forensic investigation? A PEP installed in the DMZ can offer
                                                                all of these functions and more.

                                                                Policy is not just a way of articulating and enforcing security
                                                                requirements; it is the integration glue between systems. A
                                                                rich policy language meets the demands of business and IT,
                                                                offering both high-level contracts like SLAs and billing as well
                                                                as low-level details like dynamic routing, failover, and data
                                                                transformation.




Policy Enforcement on Cloud Services
Deploying virtualized, distributed vPEPs in front of cloud applications allows owners to protect and manage their
                                                        services. Application-level policy enforcement gives fine-
                                                        grained access control and in-depth understanding of use
                                                        patterns of actual services, instead of virtual machines. Not
                                                        only does this protect your data and applications from
                                                        unauthorized use, it allows you to manage the distribution of
                                                        requests to virtualized application instances, providing
                                                        balancing or failover within or between different vendors.
                                                        This provides the necessary abstraction layer that
                                                        discourages single-vendor lock-in.

                                                       Finally, the fusion of all three of these components enables
                                                       the hybrid on-premises, in-cloud deployment model, which is
the likely future for most organizations. Policy enforcement technology for clouds can create secure, managed
communications between legacy applications in the enterprise and new applications residing in the cloud.

Ten Things to Look For in a Cloud Governance Solution
These are the important factors to consider as you begin to look for a complete cloud governance solution:

    1.   Start with enforcement. In cloud environments, distributed enforcement is a much more difficult and
         more pressing problem than asset management. Look first for a policy enforcement point that
         simultaneously answers both of these needs. This offers immediate standalone value, but with the ability
         to integrate with heavyweight registry/repositories when this need develops.
    2.   Form factors that take you from the DMZ to the clouds. Enforcement and monitoring must scale with no
         functional differences, from the wiring closet to the virtual cloud. Hardware appliances will always have
         their place, but now so do virtual vPEP appliances that can rapidly deploy in the cloud.
    3.   Distributed, virtualized management. Management systems for policy enforcement, whether on site in
         traditional SOA or in the clouds, need to be distributable so that there is no single point of failure. These
         consoles manage mission-critical applications. If a local network becomes segmented or a cloud provider
         is inaccessible, the management components should be locally available on every enforcement point.
    4.   The ability to maintain a central system of record for critical assets. There must be a central,
         authoritative system of record for assets like policies. Think of this as the library storing the laws of the
         land: the police reference it, but certainly not on every call.




         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   9
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

    5.  Loose coupling is a must between enforcement points and repository. Following on #4, enforcement
        points must not be tightly bound to central repositories because of the latency and reliability issues in the
        cloud.
    6. The ability to author centrally, but deploy globally. Policy will move with your applications in the cloud.
        Localized differences (time zones, IP addresses, SLAs, etc) must be mapped automatically during
        provisioning. This is a hard problem, because policy itself is often riddled with unanticipated dependency.
    7. Offer a global view of the application network. You need an application-centric management and
        monitoring system. It must be accommodating to the subtleties of application protocols so it can provide
        an actionable view of problems as they occur.
    8. Flexibility in policy language. The mechanics of governance always come down to complex details in
        security policy. It is through policy that you manage, adapt, and control all communications between
        services. A richly expressive policy language will give you the tools you need to manage any situation.
    9. Equally relevant to SOA as to the cloud. Think of cloud governance as evolved SOA governance. Any
        cloud governance solution should be as applicable to traditional SOA as it is to the cloud.
    10. Utilization of the cloud in the solution. If a vendor is serious about the cloud, shouldn’t a cloud
        governance solution make use of cloud services?


Conclusions
In traditional, on-premises SOA, a governance program was easy to put off. Existing processes and security
technology are often good enough to manage simple scenarios, at least until a critical mass of services appears.

In the cloud, things are different. A single service is enough to demand that you implement a cloud governance
program. You should look to SOA governance for inspiration, and extend this to the cloud. Start with a strong
program of SOA governance. If you don’t have this already, this is a good time to start. Extend this into the cloud
using new, lightweight technology such as virtual Policy Enforcement Points. These will provide you with the
security and monitoring functions that are the foundation of SOA—or cloud—governance.




         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   10
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps



Appendix A - A Methodology for Cloud Governance
Your journey to cloud governance should begin with the fundamentals of traditional SOA governance. SOA
governance might be something you’ve been able to overlook until now, as informal process and existing security
on premise cover a lot. However, it is critical to lay this foundation before moving to the cloud.

The human elements of SOA governance transfer cleanly to the cloud. The challenge is to have the process and
policy in place so it is ready evolve to meet the additional vendor challenges that come with a cloud deployment.

Cloud Evaluation Phase
Do Your Homework – Many would argue that the cloud is little more than a repackaging of existing technology with
an attractive new name. There is some truth in this, but it doesn’t tell the whole story. The cloud moniker is
actually a victim of its own success; it has become a grab bag of loosely related ideas and technology. It is
important to identify which facets and interpretations of cloud are relevant to your organization. This can only
come if you spend time exploring the breadth of cloud technology, and recognizing the value proposition offered
by each of its segments.

Set Goals – SOA taught us that failing to set clear, measurable goals upfront very often led to project failure down
the road. We need to learn from this. Be honest and realistic about what you want to get from the cloud and you
will be successful. Ask yourself:

    •    Is it company prestige, or a desire to use cool new technologies?
    •    Is it about the team’s personal goals or those of the organization?
    •    Do you want to be in an advantageous position to rendezvous with new technologies down the road?
    •    Is this a force fit imposed by other parts of the organization?
    •    Is there a definable value proposition for you to go to the cloud? Can you articulate an ROI?
    •    Is it the simple economics of the capex to opex shift? Are there opex targets in place?
    •    Will your applications benefit from the coarse grained, replicated virtual image approach to parallelism
         that cloud offers? Cloud does simple parallelism well; it doesn’t do hard parallelism, the kind computer
         scientists have struggled with for decades, and which arguably grid failed to deliver. Does your application
         lend itself to Map/Reduce approaches like Hadoop?
    •    Do you have unpredictable volumes you need to respond to, scaling either up or down rapidly? Is there a
         danger in underbuilding, or overbuilding if you do it yourself?
    •    Is it a short-term project that would orphan equipment bought for it once it is complete?
    •    Do you simply not have the budget to build out your own data center?
    •    Does an aggressive schedule mandate use of the cloud?


Cloud Governance Definition Phase
Assess People and Culture – Cloud challenges traditional roles and responsibilities. Existing operations staff may
see it as a direct threat. In the cloud, tasks like application deployment often shift to development staff, a task they
may resent and see as an operational burden dumped on them. Do you have staff that is ready to step up to the
difficult role of managing provider relationships on an ongoing basis? Can you tap other parts of the organization
to access these skilled individuals? Does your staff naturally engage with new challenges or technologies, or do you
have a difficult evangelism task. And most important, do you have full executive sponsorship and support? Just
because the executive suite mandated your move to the cloud, don’t assume they will support you when the
journey become arduous.




         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   11
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

Assess Process – Take stock of your existing processes around development, deployment, and operations.
Categorize them as follows:

    • Relevant to the cloud now.
    • Relevant to the cloud with modification.
    • Cannot be made relevant to the cloud.
Use this as a basis for determining the gaps in process. There will certainly be new processes you must define, like
managing SLAs with providers. However, first you need to understand what you have before you can really
comprehend what is missing.

Assess Data – Take careful inventory of your data assets in the organization (if you don’t have this catalogued
already, now is the time to do it). Categorize these data into the following governance groupings:

    •     Must only reside inside of existing data center. This may be for security or compliance reasons. Take note
          of special challenges, such as the data being locked up in a legacy mainframe application, but don’t let this
          dictate it’s category. Physical or logistical reasons should be orthogonal this categorization.
    • Could reside in a private cloud. Note that even a private cloud may be multi-tenant (tenants could
          include other business units, business partners, or even third parties).
    • Could reside in a public cloud.
Clearly, there is a hierarchy of loosening restriction here. The granularity of this is something you will have to
determine yourself. In a perfect world, you would categorize every field like this; however, this is clearly not
practical in most cases. Consider concrete logical dependencies and use these to aggregate fields for grouping.

Assess Applications and Services – Data isn’t the only corporate asset that may need a higher level of security or
trust than cloud can provide; services may also have special restrictions that require they be hosted on-premise.
This may be because of they are bound to sensitive data, or simply because some characteristic of their
operational behavior is a company secret (such as implementation of a proprietary algorithm).

There is a significant issue with current cloud solution offerings. They focus exclusively on management of virtual
instances, and in doing so miss a fundamental tenet of modern SOA: it’s about the services. If you put the emphasis
back onto services, your cloud governance strategy will naturally fall out of this.

Place your services into the same categories developed above for data. If you have an existing SOA, you are well
positioned because your services should be well documented.

Develop Relationship with Providers – Start this early, because it will take longer than you expect. Cloud technology
is about speed and agility; relationships are the opposite. You need time to understand the different value
propositions of each of the vendors. Furthermore, understand that these will change constantly as the industry
evolves, so the right provider one year may be the wrong one in the next. Respect the power derived from
continuity in relationships, but always be re-evaluating and ready to move.

Create lists ranking all relevant providers by the following criterion:

    •    By SLA – This is often about uptime and response time, but there are other factors to consider. What is
         their backup policy, and how fast can they recover from a catastrophic data loss? Can you request
         retrieval of old copies of data? How far back, and how often, are snapshots taken? What is the data
         retention policy? Does your data stay on their backup media after you’ve terminated your relationship?
         What happens to virtual images on disk once these have been spun down: is the disk image wiped clean
         to your standards (some governmental agencies have very strict requirements for data erasure on disk,
         including multiple passes with pseudo-random data streams)? What is the handling policy for passwords


         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   12
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

         and keys on their site? Which provider staff can escalate privileges and gain access to your virtualized
         applications and data? What is the policy governing this? Who can access audits and can these potentially
         leak information from your application? Will the provider even support you when investigating issues or
         recovering data?
     • By Security Capability – In a multi-tenant environment, how are virtual images kept separate from each
         other? Can virtual images sniff packets, or spoof IPs? How does the provider segregate data? What about
         infrastructure like queues or databases? What is the authentication and authorization model to access
         management APIs or consoles? Does this scale to satisfy your needs on a corporate level (consider the
         logistic point of view of key distribution, revocation of credentials, lifetime of keys or passwords, etc)? Do
         they provide role-based or attribute-based authorization models? Are there mechanisms available to
         avoid embedding security credentials inside virtual machines? Can their infrastructure federate with your
         existing identity and access management system? What is the model for communicating with resources in
         the enterprise (i.e. legacy applications, private clouds, people, etc)? Does it use open encrypted pipes like
         a VPN that let all communications through without discrimination (very risky if anything is compromised),
         or is it finely grained on a service-by-service basis (a much more secure approach)? What firewall
         capabilities are available for virtualized instances?
     • By Trust – Security is always about trust. To complicate matters, this isn’t just about building trust with a
         single provider, but investing trust with all of their sub-contractors and other entities they have
         relationships with that could affect you. One of the biggest challenges in cloud is the implicit transitive
         trust issue you engage in with any vendor. Consider also the jurisdictions and locations they may operate
         in. Does this put your data at risk of subpoena or seizure by foreign entities (for political or competitive
         reasons)? Are their facilities in an area that meets your needs? Remember, in a cloud covering the planet,
         local conditions can become startlingly relevant. Hurricanes are not your only problem; now you need to
         worry about typhoons.
     • By Lock-in – Most commercial cloud providers are building on the Xen hypervisor (Amazon included).
         Unfortunately, that is about as standard as it gets. There are initiatives to create standards around cloud
         VM formats and administrative APIs, but these efforts have only recently begun and will take some time
         to mature.
Rationalize Relationships – Keep the short list of vendors you work with short—recognize that any good business
relationship takes constant maintenance and considerable effort upfront. Continuously monitor the changing
marketplace, be ready to move, and don’t try and maintain more than two or at most three separate provider
relationships. Institute a quarterly review period and evaluate what has changed. Avoid long term contracts—the
market is changing too rapidly to make this a prudent strategy.

Cloud Governance Execution Phase
Start Small, Start Local – Successful SOA projects never started with a big bang; instead they began as a small-scale
proof-of-concept that acted as a reference case for other projects in the organization. Cloud should follow the
same path to success.

Implement Soft Policy for Clouds – You need to control unmanaged employee access of cloud resources.
Implement a policy as soon as possible that doesn’t forbid it, but encourages partnering with a local center of
excellence for clouds. This provides some control and monitoring without discouraging innovation or
compromising agility. Ensure it can provide some value to staff engaging with it, such as leverage of existing
provider relationships or simply expertise and perspective on cloud opportunities.

Build Management and Monitoring Layer – This is the single most important piece of infrastructure you need to
invest in. Traditional SOA advocated starting with heavyweight registry and repository infrastructure. In contrast,
cloud and modern SOA is about the realization that enforcement and monitoring tools are where the real value
resides. This technology is the cornerstone of cloud governance.



         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   13
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps

Setup Policy Enforcement Points (PEPs) in DMZ – Start by protecting the resources you already have. Placing PEPs
in the DMZ allows you to manage access to internal resources, whether partners or cloud applications use them.
This also provides the base infrastructure you need to manage outgoing access to cloud resources. Starting in a
familiar environment, such as your own DMZ, gives staff valuable experience in managing this infrastructure
before you begin to deploy it into the cloud.

Deploy Virtual PEPs into the Cloud – Next, begin to deploy virtual PEPs. You can optionally begin by deploying these
throughout your organization, creating a robust defense-in-depth strategy in your application network. As you
move applications and services into the cloud, bind them to virtual PEPs that also reside in the cloud, giving you
policy-driven control over security and monitoring of every service you host.

Integrate Heavy Components Later – Modern PEPs provide all the functionality you need for a governance story,
including local persistence and lifecycle management of all-important assets like policy and service descriptions. As
your usage expands, look to centralized management products that integrate seamlessly with the PEPs. This might
also be a cloud service.

Operational and Review Phase
Evaluate Success, Evaluate Failure – If you started with clear goals, this should be easy. Be honest about the
failures—every project has them

Refine and Repeat – Cloud governance is an ongoing process. Set up a steering committee that meets regularly to
evaluate the state of the project and to institute change when necessary.




         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   14
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps




About Layer 7 Technologies
With offices in San Mateo, California; New York, New York; and Vancouver, British Columbia, Canada; Layer 7
Technologies helps enterprises accomplish secure and cost-effective business integration using XML and Web
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology that addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowered integration costs, increased security reliability, and the ability to
future-proof their Web services investments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.


Contact Layer 7 Technologies
Layer 7 Technologies welcomes your questions, comments, and general feedback.

Email:
info@layer7tech.com

Web Site:
www.layer7tech.com

Phone:
(+1) 604-681-9377
1-800-681-9377 (toll free within North America)

Fax:
604-681-9387

Address:
Layer 7 Technologies
1200 G Street, NW, Suite 800
Washington, DC 20005

Layer 7 Technologies
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada


Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.




         Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
         trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.   15

								
To top