Policy Enforcement and Monitoring

By K. Scott Morrison  |  Posted 2009-11-19

How to Carry Out Successful Cloud Governance and Adoption

Cloud computing introduces new security risks and compromises the traditional control of IT. Therefore, it is imperative that IT management establish firm control and oversight of cloud initiatives. Cloud governance, which is a logical evolution of current service-oriented architecture (SOA) governance strategies, offers a means to assert control over both internal and external applications and data.

Cloud governance provides a unified, application-centric view of IT throughout the corporate data center and into the cloud. It clears the way for secure, managed and incremental cloud adoption. But cloud governance can go badly awry if implemented too hastily or as an afterthought. The following are 10 tips to follow for successful cloud governance:

Tip No. 1: Start with enforcement

In cloud environments, distributed enforcement is a more difficult and more pressing problem than asset management. Look first for a policy enforcement point that simultaneously answers both of these needs. This offers immediate standalone value, but with the ability to integrate with heavyweight registry/repositories when this need develops.

Tip No. 2: Form factors that take you from the DMZ to the clouds

Enforcement and monitoring must scale with no functional differences, from the wiring closet to the virtual cloud. Hardware appliances will always have their place, but now so do virtual appliances that enforce policies and are capable of rapidly deploying in the cloud.

Tip No. 3: Distributed, virtualized management

Management systems for policy enforcement, whether on-site in traditional SOA or in the clouds, need to be distributable so that there is no single point of failure. These consoles manage mission-critical applications. If a local network becomes segmented or a cloud provider is inaccessible, the management components should be locally available on every enforcement point.

Tip No. 4: The ability to maintain a central system of record for critical assets

There must be a central, authoritative system of record for assets such as policies. Think of this as a library storing the laws of the land: the police reference it but certainly not on every call.

Tip No. 5: Loose coupling is a must between enforcement points and repository

Enforcement points must not be tightly bound to central repositories because of the latency and reliability issues in the cloud.

Author Centrally But Deploy Globally

Tip No. 6: The ability to author centrally but deploy globally

Policy will move with your applications in the cloud. Localized differences [time zones, IP addresses, service-level agreements (SLAs), etc] must be mapped automatically during provisioning. This can be challenging, as policy itself is often riddled with unanticipated dependency.

Tip No. 7: Offer a global view of the application network

You need an application-centric management and monitoring system. It must be accommodating to the subtleties of application protocols so it can provide an actionable view of problems as they occur.

Tip No. 8: Flexibility in policy language

The mechanics of governance always come down to complex details in security policy. It is through policy that you manage, adapt and control all communications between services. A richly expressive policy language will give you the tools you need to manage any situation.

Tip No. 9: Apply SOA lessons to the cloud

Think of cloud governance as evolved SOA governance. Any cloud governance solution should be as applicable to traditional SOA as it is to the cloud.

Tip No. 10: Utilize the cloud in the solution

If a vendor is serious about the cloud, a cloud governance solution should make use of cloud services.

Policy Enforcement and Monitoring

Policy enforcement and monitoring

Of the ten suggestions just mentioned, policy enforcement and monitoring are particularly fundamental to SOA and cloud governance. IT can deploy a single entity, the virtual Policy Enforcement Point (PEP), to accomplish both tasks. Policy enforcement technology for clouds can create secure, managed communications between legacy applications in the enterprise and new applications residing in the cloud.

Policy is not just a way of articulating and enforcing security requirements; it is the integration glue between systems. A rich policy language meets the demands of business and IT, offering both high-level contracts such as SLAs and billing, as well as low-level details such as dynamic routing, failover and data transformation.

Deploying virtualized, distributed policy enforcement points in front of cloud applications allows organizations to protect and manage their services. Application-level policy enforcement gives fine-grained access control and in-depth understanding of use patterns of actual services, instead of virtual machines. Not only does this protect data and applications from unauthorized use, it ensures that the distribution of requests to virtualized application instances is properly managed.

In conclusion, governance-whether applied to the corporate, IT, SOA or cloud space-is about vision, oversight and control within a domain. Much of governance is about people working within a process; it's behavioral rather than a product. However, technology plays a critical role as an enablement tool to control, monitor and adapt-the three pillars of any operational governance program. Entities considering a move to the cloud would do well to examine closely both their technology and processes in order to take advantage of the promise and avoid the peril of the cloud.

K. Scott Morrison is VP of Engineering and Chief Architect at Layer 7 Technologies. He has extensive technical and scientific experience in a number of industries and universities, including senior architect positions at IBM. He has published more than 50 book chapters, articles and papers. He is co-author of the upcoming university textbook, "Cloud Computing: Principles, Systems and Applications" (to be published by Springer-Verlag). He has spoken at 70 shows around the world. He holds a Bachelor of Computer Science degree (honors) from Simon Fraser University. He can be reached at smorrison@layer7tech.com.

Rocket Fuel