Governance Meets Cloud: Top Misconceptions

The biggest fact that organizations building out cloud environments don't understand about governance in the new world of infrastructure-as-a-service (IaaS) is that, despite the handoff of certain IT functions, the responsibility around governance still remains at home.

Within the structure of traditional IT, companies could skirt some of the real governance challenges by clamping down on certain deployment scenarios and keeping anything questionable within the four walls and security controls of internal IT. That's not so easy with a true cloud environment, which mixes it up between private and public clouds, ultimately with applications running between the two, depending on demand and use case.

"What's great about cloud computing is that it offers a great deal of agility, but that poses a governance challenge," said Bernard Golden, VP of enterprise solutions at EnStratus, a provider of cloud management and governance tools. "In the past, even if you didn't do governance quite right, everyone and everything was still in the same sandbox. But now you can't rely on that."

[ Converting Your Product To Cloud Service? Consider these lessons learned from Salesforce.com and others. ]

If not having any wiggle room around the governance problem is a wake-up call, so too is the realization that it's not the cloud provider's problem. Most IaaS cloud providers, even those with Payment Card Industry (PCI) or other regulatory compliance certifications, will take responsibility for securing their data centers and the services that run within them, but they stop short of taking ownership for anything done atop of their virtualized infrastructure, cautioned James Staten, VP and principal analyst at Forrester Research. "The cloud provider is only partially responsible for governance, only up to the point of abstraction where their services stops," Staten said. "All the rest is yours."

What does that gap--or as Forrester describes it, the "uneven handshake"--mean in terms of a real cloud-based application? Consider a website that processes credit cards. The cloud provider is responsible for meeting PCI requirements in the data center, through the virtual machines, up through the storage volumes and network infrastructure that's assigned to the customer.

However, it's still the customer's responsibility to document how they protect the application, how security patches are applied to the operating system, whether data is encrypted in flight, or what ports are open to the outside world. "People go to a cloud provider that has a PCI-DSS data security certification and think they're covered and have nothing to worry about, but it's not true," Staten sais.

Even companies attuned to the unique challenges of governance in the cloud often underestimate the delicate balancing act of leveraging the self-service and agile benefits that the cloud affords, with the requirement to maintain and manage some centralized controls. "In the cloud world, one of the things that you're really driving towards is this notion of self-service, but the challenge is how to square that up with governance," said Dave Roberts, VP of strategy and evangelism at ServiceMesh, a cloud management tool provider. "You need governance that works in a way that respects the creative process and fosters it, yet at the same time, ensures that things get verified and checked."

Some, like Roberts, make the case that effective governance in the cloud isn't really possible without some sort of automation that leverages prescribed rules to ensure the right security levels and access policies are applied, that workloads are dispatched to the proper environments, or that data isn't moved to a jurisdiction that it shouldn't be, based on global regulatory standards. Given the agile nature of a true cloud, traditional governance processes (many of which can require human intervention) just won't cut it in this new environment, according to Roberts.

"The cloud is very dynamic, and old processes just can't keep up," he explained. "Anything that requires a human signature or a human in the loop to do provisioning is too slow. You need a machine system to enforce governance rules, and it needs to be built for high volume without human intervention."

Another issue to consider to ease the burden of governance in the cloud is leveraging internal IT policies and directory services like LDAP so there is a consistent view of access rights and policies across both internal and external systems. Having the ability to orchestrate fine-grained access controls for who does what is another consideration when evaluating cloud providers along with cloud management and governance tools, experts say.

Finally, beyond any new technology to throw at governance, companies also need to look at their organizational models and ensure governance isn't the sole responsibility of IT. "This is not a case of IT guys buying governance software and deploying it," Roberts says. "You need to get the company's compliance officer involved, the security officer involved, and the business units involved, so the rules are clearly understood. It's a people and organizational issue beyond any simple technology issue."

InformationWeek is conducting a survey on the current state of compliance within the enterprise: How many regulations are in scope? Which are most important? How easy is it to get vendors to toe the line? Upon completion of our survey, you will be eligible to enter a drawing to receive an 32-GB Apple iPod Touch. Take our InformationWeek 2012 Compliance Survey now. Survey ends May 11.