Steer Safely Into The Clouds

Steer Safely into the Clouds
Why you must have Cloud Governance before you move your apps
Layer 7 Technologies
White Paper
Steer Safely into the Clouds: Why You Must Have SOA Governance Before You Move Your Apps
Contents
Introduction .................................................................................................................................................. 3
Cloud is Inevitable ......................................................................................................................................... 3
The Cloud Enablers ................................................................................................................................... 4
Quick In/Quick Out................................................................................................................................ 4
The Disruptive Grassroots Revolution .................................................................................................. 4
Cloud Control ............................................................................................................................................ 5

SOA in Clouds ............................................................................................................................................ 5
Governance in SOA Forecasts Governance in the Cloud .......................................................................... 5
Cloud Governance Makes Clouds Safe ......................................................................................................... 6
What is Cloud Governance?...................................................................................................................... 6
How Does Cloud Governance Help Me? ................................................................................................... 7
Policy Enforcement on Outgoing Traffic ............................................................................................... 8
Policy Enforcement on Incoming Traffic ............................................................................................... 8
Policy Enforcement on Cloud Services .................................................................................................. 9
Ten Things to Look For in a Cloud Governance Solution .......................................................................... 9

Conclusions ................................................................................................................................................. 10
Appendix A - A Methodology for Cloud Governance.................................................................................. 11
Cloud Evaluation Phase ........................................................................................................................... 11
Cloud Governance Definition Phase ....................................................................................................... 11
Cloud Governance Execution Phase ....................................................................................................... 13
Operational and Review Phase ............................................................................................................... 14
About Layer 7 Technologies ........................................................................................................................ 15
Contact Layer 7 Technologies ..................................................................................................................... 15
Legal Information ........................................................................................................................................ 15
Copyright © 2010 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 2
Introduction
Cloud computing is a dilemma for today’s CIO. The potential to cut capital expenditure and reign in operating costs
is so compelling that the business will push aggressively for cloud adoption. Each of the components of cloud
computing—Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS)—
offer a bulletproof economic argument that is irresistible to any CFO, CTO, or your CEO. Brought together, they
offer a promise of tangible savings and flexibility that is unprecedented in the history of computing.
But you know that money isn’t the only issue. Cloud introduces new security risks and compromises the traditional
control of IT. When data begins to move out of established corporate silos, it is vulnerable to disclosure, loss or
modification. The very act of moving sensitive data outside enterprise walls may violate national regulations for
privacy and audit that govern the corporation. As data flows through different jurisdictions in a cloud spanning the
globe, it may become subject to international controls that impede business.
When applications leave the data center, IT looses visibility and surrenders control. The once local, centralized,
manageable IT infrastructure goes global, subject to dubious SLAs and reliant on a continually shifting alliance of
partners. The shift in focus from managing infrastructure to managing applications is disruptive to any IT
organization. It challenges roles, ownership, and procedure.
These concerns haunt IT management. They introduce a justifiable unease that counters the high profile success of
cloud services such as Salesforce.com and Amazon Web Services. This stalls cloud initiatives, and once again, IT
finds itself at odds with business goals.
Fortunately, there is a solution. Cloud governance, which is a logical evolution of your current SOA governance
strategy, offers a means to assert control over both internal and external applications and data. It provides a
unified, application-centric view of your IT throughout the corporate data center and into the cloud. Cloud
governance tears down those barriers of concern erected between traditional IT and the cloud, clearing the way
for secure, managed, and incremental cloud adoption. It relies on proven technology solutions developed over the
last decade inside enterprise networks. It is a logical and justifiable step forward from what you do today.
This paper will prove to IT Management that the widely reported challenges of cloud computing can be met. It
describes a path that will guide the enterprise into the cloud in a controlled and secure manner. Finally, it will
show how even cloud governance can be deployed as a service, lowering the barrier to entry and leveraging
exactly those qualities of cloud architecture that make it so attractive.
Before you deploy a single service into the cloud, you must have a cloud governance program in place.
Cloud is Inevitable
Early cloud adoption was about agility. Startups flocked to the cloud because they could completely bypass
infrastructure acquisition and setup by deploying their applications directly to cloud providers like Joyent, GoGrid,
Google AppEngine, or Amazon Web services. This decreased their time-to-market, gave them the flexibility to
update applications in real time, and bought them the insurance of scalability to meet unanticipated traffic
volumes if their idea captured public imagination. Cost saving was simply a nice side effect.
Agility, however, is difficult to monetize. Everyone wants agility, but few are willing to pay for it; in the end, cost
effectiveness is a much easier sell. As cloud computing matures, there is a gradual shift in priorities taking place
among adopters. The business is starting to recognize that cloud computing represents a transformation in the
operating model for IT. Budgets dominated by capital expenditures and depreciation are giving way to those built
on predictable—and indeed, lowered—operating expenses. What is revolutionary about cloud is not the
technology; it’s the change cloud is making to the economics of IT.
Within this simple financial equation lies a truth that will make the move to cloud inevitable. The argument is so
convincing that it will resonate powerfully in the executive suite, and the decision to utilize the cloud will come not
from IT, but from the business itself. Clearly, to be perceived as in control and delivering real business value, IT
must be well prepared for this directive when it comes.
The Cloud Enablers

The mandate to use cloud services may not come from IT, but IT will be a catalyst for this decision, whether it
realizes this or not. There are two particular cloud use cases appearing with increasing frequency that business will
regard as important precedents for justifying a move to cloud infrastructure. It is vital for IT to recognize and
manage these successfully.
Quick In/Quick Out

The New York Times offers the flagship case demonstrating this model. They had a requirement to convert 4TB of
scans, representing 70 years of articles, into PDF format. The processing requirements were daunting, and
proceeding using a traditional deployment would have necessitated a significant upfront investment in equipment
the newspaper would no longer need once the project was complete.
Instead, they turned to Amazon EC2 cloud services. Using Amazon, the team was able to complete the job in only
24 hours. In the end, they satisfied the requirement for a fraction of the conventional cost, and left no depreciating
IT assets behind.
These short-term, low-risk projects, which demand high volumes of processing power on a temporary basis, are
excellent candidates for cloud technologies and help the business to build confidence in this new approach.
The Disruptive Grassroots Revolution

The other major cloud driver is more subversive and viral. Salesforce.com has been wildly successful because it
marketed directly to a
The SaaS Inversion of Control
customer with a pain point:
There is something more subtle happening with SaaS that is worth noting. Big CRM the salesperson who works
earned a bad reputation by bringing with it integration and customization demands for an organization without
that easily spiraled out-of-control. The emphasis of traditional CRM is on dedicated, on-site CRM. For
customizing the application to your data and process. SaaS vendors quietly turned around $50 per month,
this around, providing just-enough customization and shifting integration Salesforce offers that
responsibility to you loading data into their application in an open format. What
individual the basic tools they
might appear to be a limitation is actually a secret to its success: it gives customers
what they actually need without leading them into the tar pit of integration costs. want today—all they need is
their credit card. Once in the
This judicious use of the 80/20 rule is actually a common theme across cloud door, it spreads easily to
technology. From a feature perspective, infrastructure such as Amazon’s S3, SQS, coworkers. Management will
and SimpleDB cannot be compared to their conventional enterprise counterparts soon take notice, and more
(distributed file systems, Message-Oriented Middleware (MOM), and relational often than not adopt this
databases); however, these offer the important basics everyone needs, and offer excellent SaaS application
one huge advantage: vast scalability. This evolution of priorities is a defining company-wide.
characteristic of cloud technology.
This may seem manageable and ultimately beneficial to the company, but other grassroots initiatives may not be
so benign. The very accessibility of cloud services makes these both a great opportunity and a great threat. It is
hard not to be impressed when any staff member, using a web browser and a credit card, can access cloud services
in minutes. This is agile and entrepreneurial. However, the implementation may not be consistent with the
standards you have in place for your business.
Unmanaged cloud adoption will lead to the erosion of data authority and the introduction of unmanaged
dependencies. External services, whether SaaS-based or in-house applications deployed with a cloud provider,
rarely have access to centralized data sources in the enterprise. This leads to data replication on the external
system, creating coherency problems and the destruction of the central, authoritative record.
Reliability is at risk as cloud services become more finely grained and distributed. Applications sprawl across
networks, making use of services that may change or vanish at any time. This lack of formality, control and rigor
undermines the very promise of the cloud.
Cloud Control
The message for IT management is that it must put itself in control of cloud initiatives. The inevitable push to move
to the cloud will come from the business—IT can’t stop this. But IT can ensure that the internal test cases for cloud
are carefully managed and successful, and that these are used not only to justify the widespread adoption of this
technology, but to showcase how it can be done safely, securely, and under centralized control.
SOA in Clouds
It is a common misconception that cloud will replace SOA. Nothing could be further from the truth. Cloud did
knock SOA off its commanding position on the hype scale, but the truth is that we should build cloud applications
consistent with the model that SOA articulates. SOA is an architectural approach; it is a philosophy guiding the
development and management of applications. Cloud is simply a deployment and operational model that happens
to be very well suited to host the services you create under a SOA initiative.
The major cloud players are demonstrating this for us. Salesforce.com began as a monolithic SaaS application.
However, its fundamental components—services that are useful and reusable across a wide range of custom
apps—have been teased out and made available in the company’s Force.com offering. Arguably, even Amazon, the
pioneer of cloud computing, began as a monolithic web application selling books. It then followed up with granular
services that plug into its core, and finally provided the basic building blocks of their application—queuing,
database, storage, elastic computing—as services for hire. This is service-orientation evolving into cloud
computing.
When moving to the cloud, IT needs to recognize that SOA is a crucial part of its effort. Moreover, the secrets of
success in SOA are also the secrets to success in the cloud.
Governance in SOA Forecasts Governance in the Cloud

One of these secrets is governance. The most successful SOA initiatives implement a SOA governance program. By
extension, we can conclude that cloud initiatives require a cloud governance program to make them equally
successful.
What is important to recognize, however, is that with on-premises SOA, governance could be ignored at first, and
retrofitted later. Existing process can hide a multitude of sins. If an organization owned its infrastructure, used
internal staff to manage this, and had a program of basic physical and IT security in place, it could get away with
delaying its SOA governance program. This does not imply it could ignore governance forever—SOA ultimately
cannot be successful without it—but it does allow reprioritization.
In contrast, the cloud is much less forgiving. In the cloud, your data resides on systems that you don’t control, that
may be in other countries or legal jurisdictions. These systems are unlikely to have the same security standards
that you are accustomed to with your on-premises servers. You need to develop your applications to withstand
internet-scale attacks, just like your front-line web servers. Before you deploy a single cloud service, you must have
a cloud governance program in place.
This is an important inversion point. In cloud, you give up control of networks and systems, leaving you only with
control over applications and services. Your governance program, therefore, must provide the means to control,
monitor, and adapt these services, regardless of whether they reside in an on-premises SOA, or out in a cloud-
based extension to your SOA. This consistency in approach, from existing SOA to cloud SOA, is a basic but
demanding characteristic of cloud governance.
Cloud Governance Makes Clouds Safe

Cloud governance is an evolution of SOA governance, recognizing that the best practice in the cloud is to build on
the solid foundation of existing SOA principles. It refines and extends SOA governance procedure and technology,
making it universally applicable on-premises (in a private cloud, or across an existing SOA), in the public cloud, or
managing a hybrid combination of the two.
You must recognize cloud governance as a first class citizen in cloud deployments—a gating factor that needs to be
in place before you can move to the cloud. Clearly, the process and technology behind it cannot be an impediment.
It must emphasize agility and multi-purpose application without compromising security and manageability of
services.
What is Cloud Governance?

Governance—whether applied to the corporate, IT, SOA, or cloud space—is not about technology. It’s about vision,
oversight, and control within a domain. Much of governance is about people working within a process; it’s
behavioral, rather than a product. However, technology plays a critical role as an enablement tool to control,
monitor, and adapt—the three pillars of any operational governance program—and so this is the focus of this
paper.
Cloud governance recognizes the special challenges organizations face within cloud computing. It extends SOA
governance in several important ways. Process and policy clearly need to adapt to address the exceptional
challenges with each vendor. If anything, cloud governance is uniquely demanding with respect to process and
policy because of complexity of vendor contracts, SLA expectations, and the increasingly complex regulatory
environment—factors that demand a fine balance against agility, cost reduction, and the threat of vendor-lock in.
Technology, too, must change; however, it builds on the basic solutions that already enable SOA governance.
Technology implements process, enforces rules, and monitors environments. In the SOA governance space, these
functions map cleanly into products that provide continuous enforcement of policy, broadly deployed monitoring,
and lifecycle management of SOA assets.
The challenge in moving these into the cloud is that the products must become highly distributed and cloud-
centric. Deployment must be simple, dependable and rapid across the wide variety of cloud infrastructures. They
must operate independently under all conditions, including disconnected from any centralized asset stores and
monitoring consoles. And they must operate seamlessly across on-premises and off-premises environments,
including “legacy” enterprise SOA deployments. Cloud governance, therefore, is as relevant in an existing SOA
installation as it is for a completely new application deployed in Amazon’s cloud center.
Cloud governance inverts the order of implementation that customers had with SOA governance. In most SOA
governance engagements, customers believed that management of assets was the first order problem, with
enforcement and monitoring the second. This often led to early purchases of registry/repository technology that
saw little practical use because it never integrated well with enforcement and monitoring infrastructure. In
contrast, cloud governance demands that you address enforcement and monitoring first, and that these solutions
bring the ability to manage assets natively. Control and visibility are fundamental problems you must overcome
before following up with tools that automate human process.
How Does Cloud Governance Help Me?

Most of the benefits of cloud governance come from the application of technology to the problems with the cloud.
Exploring how to deploy this technology helps to illustrate the full scope and impact of the solution.
The virtual Policy Enforcement Point (vPEP): The Foundation of Cloud Governance.
Policy enforcement and monitoring is fundamental to SOA and cloud governance. IT can deploy a single entity, the
virtual Policy Enforcement Point (vPEP), to accomplish both tasks.
The idea of a standalone Policy Enforcement Point is not new; indeed, its use is widespread in most SOA environments.
In traditional SOA, the PEP acts as a gatekeeper and monitor for all service traffic. Common functionality includes:
Authentication: Interfacing with most identity Audit: Collection of information related to

and access management systems. events and transaction processing on the PEP.
Authorization: Fine grained authorization Alerts or Events: Synchronous or

management including attribute- and role-based asynchronous events raised as a result of
authorization models. conditions being met on the PEP, such as
transaction threshold reached, or memory
consumption exceeding a set threshold.
Confidentiality: Acting as an SLA: Enforcement and/or alerting of various

encryptor/decryptor for all information streams thresholds relevant to business. An example
(i.e. data and services). might be to redirect traffic to secondary service
cluster when the primary is overloaded.
Integrity: Ensuring communications are not Monitoring: Collecting rich data sets
altered in transit. describing both individual transaction data and
aggregate counters, and generation of graphs
and reports to summarize these.
Routing: Directing messages to different Adaptation/Transformation: Alteration of

destinations based on policy decisions. the physical data stream in flight. Can be used
to provide interface versioning, or to produce
entirely new aggregate services that combine
results from several individual service calls.
Policy Enforcement Protects Services
Policy
Decision Service
Point (PEP) Host
Policy
Policy
Enforcement
Enforcement
Message
Point
Point(PEP)
(PEP)
These devices were traditionally hardware-based, and deployed in an enterprise network DMZ to manage all XML-
based streams in or out of the organization. New technological developments now allow virtualization of all PEP
functionality so that it can easily be deployed either on-premise in the traditional data center, or externally in the
cloud. The new virtual PEP offers a lightweight deployment model that allows a closer binding to services, following
them through cloud deployment and making localized services governance practical.
Policy Enforcement on Outgoing Traffic

Applying policy enforcement to all outgoing traffic in your organization allows you to discover who is attempting to
use cloud services, and to manage this. You need to know
when an employee accesses a new SaaS service using their
credit card; you need to stop an unsanctioned use of PaaS
components by well-meaning developers; and you need to
regulate use of IaaS technology.
Policy access profiles allow continuous monitoring of

authorized cloud service activity, and provide a customer
view of usage that is critical to discovering vendor billing
discrepancies or identifying SLA violations. Outgoing policy
enforcement allows you to measure the value you are
deriving from each of your partners, suppliers, and every
third-party organizations with whom you engage
electronically.
Policy Enforcement on Incoming Traffic

The same deployment model is equally appropriate to manage traffic entering the corporate network. Application
of policy enforcement and monitoring across all incoming traffic provides a secure, managed gateway layer that
enables safe publication of internal services.
Consider the following use case. A third-party SaaS application requires access to data locked on a mainframe—
clearly a system that isn’t moving into the cloud soon. How can IT publish an interface to the mainframe that
ensures only authorized cloud services can access it, that protects the mainframe from Internet-originating attacks,
and that audits all access for charge-back purposes and

forensic investigation? A PEP installed in the DMZ can offer
all of these functions and more.
Policy is not just a way of articulating and enforcing security

requirements; it is the integration glue between systems. A
rich policy language meets the demands of business and IT,
offering both high-level contracts like SLAs and billing as well
as low-level details like dynamic routing, failover, and data
transformation.
Policy Enforcement on Cloud Services

Deploying virtualized, distributed vPEPs in front of cloud applications allows owners to protect and manage their
services. Application-level policy enforcement gives fine-
grained access control and in-depth understanding of use
patterns of actual services, instead of virtual machines. Not
only does this protect your data and applications from
unauthorized use, it allows you to manage the distribution of
requests to virtualized application instances, providing
balancing or failover within or between different vendors.
This provides the necessary abstraction layer that
discourages single-vendor lock-in.
Finally, the fusion of all three of these components enables

the hybrid on-premises, in-cloud deployment model, which is
the likely future for most organizations. Policy enforcement technology for clouds can create secure, managed
communications between legacy applications in the enterprise and new applications residing in the cloud.
Ten Things to Look For in a Cloud Governance Solution

These are the important factors to consider as you begin to look for a complete cloud governance solution:
1. Start with enforcement. In cloud environments, distributed enforcement is a much more difficult and
more pressing problem than asset management. Look first for a policy enforcement point that
simultaneously answers both of these needs. This offers immediate standalone value, but with the ability
to integrate with heavyweight registry/repositories when this need develops.
2. Form factors that take you from the DMZ to the clouds. Enforcement and monitoring must scale with no
functional differences, from the wiring closet to the virtual cloud. Hardware appliances will always have
their place, but now so do virtual vPEP appliances that can rapidly deploy in the cloud.
3. Distributed, virtualized management. Management systems for policy enforcement, whether on site in
traditional SOA or in the clouds, need to be distributable so that there is no single point of failure. These
consoles manage mission-critical applications. If a local network becomes segmented or a cloud provider
is inaccessible, the management components should be locally available on every enforcement point.
4. The ability to maintain a central system of record for critical assets. There must be a central,
authoritative system of record for assets like policies. Think of this as the library storing the laws of the
land: the police reference it, but certainly not on every call.
5. Loose coupling is a must between enforcement points and repository. Following on #4, enforcement
points must not be tightly bound to central repositories because of the latency and reliability issues in the
cloud.
6. The ability to author centrally, but deploy globally. Policy will move with your applications in the cloud.
Localized differences (time zones, IP addresses, SLAs, etc) must be mapped automatically during
provisioning. This is a hard problem, because policy itself is often riddled with unanticipated dependency.
7. Offer a global view of the application network. You need an application-centric management and
monitoring system. It must be accommodating to the subtleties of application protocols so it can provide
an actionable view of problems as they occur.
8. Flexibility in policy language. The mechanics of governance always come down to complex details in
security policy. It is through policy that you manage, adapt, and control all communications between
services. A richly expressive policy language will give you the tools you need to manage any situation.
9. Equally relevant to SOA as to the cloud. Think of cloud governance as evolved SOA governance. Any
cloud governance solution should be as applicable to traditional SOA as it is to the cloud.
10. Utilization of the cloud in the solution. If a vendor is serious about the cloud, shouldn’t a cloud
governance solution make use of cloud services?
Conclusions
In traditional, on-premises SOA, a governance program was easy to put off. Existing processes and security
technology are often good enough to manage simple scenarios, at least until a critical mass of services appears.
In the cloud, things are different. A single service is enough to demand that you implement a cloud governance
program. You should look to SOA governance for inspiration, and extend this to the cloud. Start with a strong
program of SOA governance. If you don’t have this already, this is a good time to start. Extend this into the cloud
using new, lightweight technology such as virtual Policy Enforcement Points. These will provide you with the
security and monitoring functions that are the foundation of SOA—or cloud—governance.
Appendix A - A Methodology for Cloud Governance

Your journey to cloud governance should begin with the fundamentals of traditional SOA governance. SOA
governance might be something you’ve been able to overlook until now, as informal process and existing security
on premise cover a lot. However, it is critical to lay this foundation before moving to the cloud.
The human elements of SOA governance transfer cleanly to the cloud. The challenge is to have the process and
policy in place so it is ready evolve to meet the additional vendor challenges that come with a cloud deployment.
Cloud Evaluation Phase

Do Your Homework – Many would argue that the cloud is little more than a repackaging of existing technology with
an attractive new name. There is some truth in this, but it doesn’t tell the whole story. The cloud moniker is
actually a victim of its own success; it has become a grab bag of loosely related ideas and technology. It is
important to identify which facets and interpretations of cloud are relevant to your organization. This can only
come if you spend time exploring the breadth of cloud technology, and recognizing the value proposition offered
by each of its segments.
Set Goals – SOA taught us that failing to set clear, measurable goals upfront very often led to project failure down
the road. We need to learn from this. Be honest and realistic about what you want to get from the cloud and you
will be successful. Ask yourself:
• Is it company prestige, or a desire to use cool new technologies?

• Is it about the team’s personal goals or those of the organization?
• Do you want to be in an advantageous position to rendezvous with new technologies down the road?
• Is this a force fit imposed by other parts of the organization?
• Is there a definable value proposition for you to go to the cloud? Can you articulate an ROI?
• Is it the simple economics of the capex to opex shift? Are there opex targets in place?
• Will your applications benefit from the coarse grained, replicated virtual image approach to parallelism
that cloud offers? Cloud does simple parallelism well; it doesn’t do hard parallelism, the kind computer
scientists have struggled with for decades, and which arguably grid failed to deliver. Does your application
lend itself to Map/Reduce approaches like Hadoop?
• Do you have unpredictable volumes you need to respond to, scaling either up or down rapidly? Is there a
danger in underbuilding, or overbuilding if you do it yourself?
• Is it a short-term project that would orphan equipment bought for it once it is complete?
• Do you simply not have the budget to build out your own data center?
• Does an aggressive schedule mandate use of the cloud?
Cloud Governance Definition Phase

Assess People and Culture – Cloud challenges traditional roles and responsibilities. Existing operations staff may
see it as a direct threat. In the cloud, tasks like application deployment often shift to development staff, a task they
may resent and see as an operational burden dumped on them. Do you have staff that is ready to step up to the
difficult role of managing provider relationships on an ongoing basis? Can you tap other parts of the organization
to access these skilled individuals? Does your staff naturally engage with new challenges or technologies, or do you
have a difficult evangelism task. And most important, do you have full executive sponsorship and support? Just
because the executive suite mandated your move to the cloud, don’t assume they will support you when the
journey become arduous.
Assess Process – Take stock of your existing processes around development, deployment, and operations.
Categorize them as follows:
• Relevant to the cloud now.

• Relevant to the cloud with modification.
• Cannot be made relevant to the cloud.
Use this as a basis for determining the gaps in process. There will certainly be new processes you must define, like
managing SLAs with providers. However, first you need to understand what you have before you can really
comprehend what is missing.
Assess Data – Take careful inventory of your data assets in the organization (if you don’t have this catalogued
already, now is the time to do it). Categorize these data into the following governance groupings:
• Must only reside inside of existing data center. This may be for security or compliance reasons. Take note
of special challenges, such as the data being locked up in a legacy mainframe application, but don’t let this
dictate it’s category. Physical or logistical reasons should be orthogonal this categorization.
• Could reside in a private cloud. Note that even a private cloud may be multi-tenant (tenants could
include other business units, business partners, or even third parties).
• Could reside in a public cloud.
Clearly, there is a hierarchy of loosening restriction here. The granularity of this is something you will have to
determine yourself. In a perfect world, you would categorize every field like this; however, this is clearly not
practical in most cases. Consider concrete logical dependencies and use these to aggregate fields for grouping.
Assess Applications and Services – Data isn’t the only corporate asset that may need a higher level of security or
trust than cloud can provide; services may also have special restrictions that require they be hosted on-premise.
This may be because of they are bound to sensitive data, or simply because some characteristic of their
operational behavior is a company secret (such as implementation of a proprietary algorithm).
There is a significant issue with current cloud solution offerings. They focus exclusively on management of virtual
instances, and in doing so miss a fundamental tenet of modern SOA: it’s about the services. If you put the emphasis
back onto services, your cloud governance strategy will naturally fall out of this.
Place your services into the same categories developed above for data. If you have an existing SOA, you are well
positioned because your services should be well documented.
Develop Relationship with Providers – Start this early, because it will take longer than you expect. Cloud technology
is about speed and agility; relationships are the opposite. You need time to understand the different value
propositions of each of the vendors. Furthermore, understand that these will change constantly as the industry
evolves, so the right provider one year may be the wrong one in the next. Respect the power derived from
continuity in relationships, but always be re-evaluating and ready to move.
Create lists ranking all relevant providers by the following criterion:
• By SLA – This is often about uptime and response time, but there are other factors to consider. What is
their backup policy, and how fast can they recover from a catastrophic data loss? Can you request
retrieval of old copies of data? How far back, and how often, are snapshots taken? What is the data
retention policy? Does your data stay on their backup media after you’ve terminated your relationship?
What happens to virtual images on disk once these have been spun down: is the disk image wiped clean
to your standards (some governmental agencies have very strict requirements for data erasure on disk,
including multiple passes with pseudo-random data streams)? What is the handling policy for passwords
and keys on their site? Which provider staff can escalate privileges and gain access to your virtualized
applications and data? What is the policy governing this? Who can access audits and can these potentially
leak information from your application? Will the provider even support you when investigating issues or
recovering data?
• By Security Capability – In a multi-tenant environment, how are virtual images kept separate from each
other? Can virtual images sniff packets, or spoof IPs? How does the provider segregate data? What about
infrastructure like queues or databases? What is the authentication and authorization model to access
management APIs or consoles? Does this scale to satisfy your needs on a corporate level (consider the
logistic point of view of key distribution, revocation of credentials, lifetime of keys or passwords, etc)? Do
they provide role-based or attribute-based authorization models? Are there mechanisms available to
avoid embedding security credentials inside virtual machines? Can their infrastructure federate with your
existing identity and access management system? What is the model for communicating with resources in
the enterprise (i.e. legacy applications, private clouds, people, etc)? Does it use open encrypted pipes like
a VPN that let all communications through without discrimination (very risky if anything is compromised),
or is it finely grained on a service-by-service basis (a much more secure approach)? What firewall
capabilities are available for virtualized instances?
• By Trust – Security is always about trust. To complicate matters, this isn’t just about building trust with a
single provider, but investing trust with all of their sub-contractors and other entities they have
relationships with that could affect you. One of the biggest challenges in cloud is the implicit transitive
trust issue you engage in with any vendor. Consider also the jurisdictions and locations they may operate
in. Does this put your data at risk of subpoena or seizure by foreign entities (for political or competitive
reasons)? Are their facilities in an area that meets your needs? Remember, in a cloud covering the planet,
local conditions can become startlingly relevant. Hurricanes are not your only problem; now you need to
worry about typhoons.
• By Lock-in – Most commercial cloud providers are building on the Xen hypervisor (Amazon included).
Unfortunately, that is about as standard as it gets. There are initiatives to create standards around cloud
VM formats and administrative APIs, but these efforts have only recently begun and will take some time
to mature.
Rationalize Relationships – Keep the short list of vendors you work with short—recognize that any good business
relationship takes constant maintenance and considerable effort upfront. Continuously monitor the changing
marketplace, be ready to move, and don’t try and maintain more than two or at most three separate provider
relationships. Institute a quarterly review period and evaluate what has changed. Avoid long term contracts—the
market is changing too rapidly to make this a prudent strategy.
Cloud Governance Execution Phase

Start Small, Start Local – Successful SOA projects never started with a big bang; instead they began as a small-scale
proof-of-concept that acted as a reference case for other projects in the organization. Cloud should follow the
same path to success.
Implement Soft Policy for Clouds – You need to control unmanaged employee access of cloud resources.
Implement a policy as soon as possible that doesn’t forbid it, but encourages partnering with a local center of
excellence for clouds. This provides some control and monitoring without discouraging innovation or
compromising agility. Ensure it can provide some value to staff engaging with it, such as leverage of existing
provider relationships or simply expertise and perspective on cloud opportunities.
Build Management and Monitoring Layer – This is the single most important piece of infrastructure you need to
invest in. Traditional SOA advocated starting with heavyweight registry and repository infrastructure. In contrast,
cloud and modern SOA is about the realization that enforcement and monitoring tools are where the real value
resides. This technology is the cornerstone of cloud governance.
Setup Policy Enforcement Points (PEPs) in DMZ – Start by protecting the resources you already have. Placing PEPs
in the DMZ allows you to manage access to internal resources, whether partners or cloud applications use them.
This also provides the base infrastructure you need to manage outgoing access to cloud resources. Starting in a
familiar environment, such as your own DMZ, gives staff valuable experience in managing this infrastructure
before you begin to deploy it into the cloud.
Deploy Virtual PEPs into the Cloud – Next, begin to deploy virtual PEPs. You can optionally begin by deploying these
throughout your organization, creating a robust defense-in-depth strategy in your application network. As you
move applications and services into the cloud, bind them to virtual PEPs that also reside in the cloud, giving you
policy-driven control over security and monitoring of every service you host.
Integrate Heavy Components Later – Modern PEPs provide all the functionality you need for a governance story,
including local persistence and lifecycle management of all-important assets like policy and service descriptions. As
your usage expands, look to centralized management products that integrate seamlessly with the PEPs. This might
also be a cloud service.
Operational and Review Phase

Evaluate Success, Evaluate Failure – If you started with clear goals, this should be easy. Be honest about the
failures—every project has them
Refine and Repeat – Cloud governance is an ongoing process. Set up a steering committee that meets regularly to
evaluate the state of the project and to institute change when necessary.
About Layer 7 Technologies

With offices in San Mateo, California; New York, New York; and Vancouver, British Columbia, Canada; Layer 7
Technologies helps enterprises accomplish secure and cost-effective business integration using XML and Web
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology that addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowered integration costs, increased security reliability, and the ability to
future-proof their Web services investments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.
Contact Layer 7 Technologies

Layer 7 Technologies welcomes your questions, comments, and general feedback.
Email:
info@layer7tech.com
Web Site:
www.layer7tech.com
Phone:
(+1) 604-681-9377
1-800-681-9377 (toll free within North America)
Fax:
604-681-9387
Address:
1200 G Street, NW, Suite 800
Washington, DC 20005
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada
Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.

Steer Safely Into The Clouds

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Steer Safely Into The Clouds

Загружено:

Авторское право:

Доступные форматы

Steer Safely into the Clouds

The Disruptive Grassroots Revolution .................................................................................................. 4

Cloud Control ............................................................................................................................................ 5

Policy Enforcement on Incoming Traffic ............................................................................................... 8

Policy Enforcement on Cloud Services .................................................................................................. 9

Ten Things to Look For in a Cloud Governance Solution .......................................................................... 9

The Cloud Enablers

Quick In/Quick Out

The Disruptive Grassroots Revolution

Governance in SOA Forecasts Governance in the Cloud

Cloud Governance Makes Clouds Safe

What is Cloud Governance?

How Does Cloud Governance Help Me?

Authentication: Interfacing with most identity Audit: Collection of information related to

Authorization: Fine grained authorization Alerts or Events: Synchronous or

Confidentiality: Acting as an SLA: Enforcement and/or alerting of various

Routing: Directing messages to different Adaptation/Transformation: Alteration of

Policy Enforcement Protects Services

Policy Enforcement on Outgoing Traffic

Policy access profiles allow continuous monitoring of

Policy Enforcement on Incoming Traffic

and that audits all access for charge-back purposes and

Policy is not just a way of articulating and enforcing security

Policy Enforcement on Cloud Services

Finally, the fusion of all three of these components enables

Ten Things to Look For in a Cloud Governance Solution

Appendix A - A Methodology for Cloud Governance

Cloud Evaluation Phase

• Is it company prestige, or a desire to use cool new technologies?

Cloud Governance Definition Phase

• Relevant to the cloud now.

Create lists ranking all relevant providers by the following criterion:

Cloud Governance Execution Phase

Operational and Review Phase

About Layer 7 Technologies

Contact Layer 7 Technologies

Вам также может понравиться