Governing cloud computing isn’t easy
August 20, 2011
Governing cloud computing is like herding a group of cats; you think you’re in control until one of them decides it’s time for you to pet it, feed it or suffer its wrath.
Cloud services, like cats, are hard things to control. This is mainly because the service provider has all the power, and the service consumer has much of the risk. But there are ways to approach governance in the cloud that yield good results, instead of just hairballs and claws…
As cloud computing adoption continues to grow, the ability to govern the services used will be a critical success factor.
A colleague in Gartner research once told me that governance is “who gets their say, and who has their way.” Underneath all that are questions about how decisions are made in regards to acquiring cloud resources, ensuring they do what they’re supposed to do, determining what moves into or out of the cloud, and influencing users on how to use the cloud model. In the cloud, the providers get their say and have their way more than anyone else. Service consumers are often left to fend for themselves when dealing with anything the provider has not already chosen to give them. By and large, you get what you get in the cloud. But as cloud adoption grows, the need for some degree of coordination of cloud services becomes apparent.
Governing cloud computing essentially happens at three levels: business, service and technology.
At the business level, cloud service consumers must manage contract relationships and accounts, track users of cloud services, understand buying patterns, and set policies for corporate use. There’s nothing worse than waking up one morning to discover your business users have bought cloud services with a credit card and no due diligence. But it happens all the time, leaving the IT department scrambling to figure out how to support the new services. And it leaves finance scrambling to decide how to prioritise and fund some of these purchases.
A simple step toward governance would be to institute a cloud services purchase requisitioning system. At the very least, a system like this allows you to track cloud purchases before they happen. Another option is to establish a ‘cloud purchasing czar’ who reviews cloud purchase requests to gather intelligence on what the business might need. This way, you can help your business users get their cloud services while preparing yourself for the consequences.
Clearly, some governance of buying behaviour is warranted. It allows a company to aggregate buying power, establish predictable relationships with service providers and make cross-company decisions about cloud adoption.
At the service level, the issues get more technical. Entities like E*Trade or Chicago Mercantile Exchange that want to deliver market data through the cloud can find themselves in a tough spot without some mechanism to govern the interactions of customers and partners with their cloud services. How do you tell who’s using them? How do you stop someone from using them? How do you ensure security and enforce policies about them at all times?
Well, the simple answer is a cloud service gateway. These appliances or services sit between those who provide a service and those who access it (we covered this kind of thing in the cloud brokerage article). They act as brokers because they broker all the requests from users of a service to the service and back. This means they can intercept and interpret the requests to see if they fit within policy or are safe. Track, measure, monitor and enforce — that’s the kind of governance you need at the service level.
Then there’s the technical level of governance. This one has less relevance in cloud computing largely because the consumers of the service don’t control the technology — at least not in the public cloud. But there are still private and hybrid cloud deployments to consider. Companies doing the “private” thing still have contacts to manage at the business level and services to manage at the service level, but they also have to govern the use of their technology through capacity planning and policies for provisioning. They even have to decide how to spend money most effectively to deliver the best private or hybrid cloud experience.
If this sounds like data centre operations, it is. The difference lies in the new financial models (pay as you go), the shift to treating employees as service consumers, and the ability to charge a price for the service instead of the cost of the equipment. This kind of governance is hard to envision for some.
And let us not overlook the movement from on-premises systems to the cloud. Ultimately, governance of cloud computing may boil down to the question, “Which applications do I move to the cloud, and which do I not?” The governance decisions behind this question will stir up a lot of concern. But, ultimately, the answers to these concerns will come from the main three areas of governance. Is it the right business choice? Is it the right service? And can the technology handle it?
And it comes down to that. Who has their say, and who has their way? Cloud consumers who want to move to the cloud are having their say about what services they need. Cloud providers are having their way with how these services are delivered. Where you come in is by arbitrating the decisions that let consumers connect to providers in the safest way possible, and what’s safe can only be determined through governance.