As the cloud market matures, more businesses expose key data to cloud-based applications. Public cloud gives way...
to the hybrid cloud model, which hosts data in both public and private clouds with orchestration between the two. And the use of software as a service to mash up intricate application suites adds another layer of complexity. All of these trends require the enterprise to establish a solid cloud governance and compliance strategy.
Remaining in private cloud to dodge compliance issues is no longer an option. Public cloud economics are too compelling to ignore. And the lure of public cloud sparks shadow IT, which can quickly eat into IT's budget and crush any chance for governance.
Moreover, central IT needs public cloud. Job streams are rarely smooth, with loading peaks and valleys. Additionally, designing for peak loads is expensive and leaves equipment idle. Instead, consider cloud bursting, where supplemental public cloud instances handle peak loads.
So how do you ensure a solid governance strategy in a SaaS and hybrid cloud world? First, it must be agile. A governance system can't be too bureaucratic, or shadow IT users will ignore it. Governance must trickle down from SaaS and public cloud service providers.
It pays to be humble. Asking public cloud giants like Google or Amazon Web Services to comply with your written policy is a non-starter. Instead, ask about their governance framework and determine which vendor's strategy best meets your needs.
Next, determine how you, as a cloud tenant, can build extra governance requirements into your own apps and instances. For example, you could build virtual private networks (VPNs) in a hybrid cloud, which will become easier as software-defined networking (SDN) usage grows. Also, factor in authentication.
Sifting through hybrid cloud governance options
Data governance is crucial in all of this. Why push governance policies when a hacker can download your key data? There are several solutions. To avoid data loss, keep all data in a private cloud, and allow public instances to fetch from the private store. This is a sound strategy if fast data links are available. Telcos are rising to the occasion, with colocation for private data stores and dedicated fiber links to public cloud providers. NetApp and Microsoft Azure pioneered this, but other vendors are jumping on the bandwagon.
But this approach has its drawbacks, including its reliance on fast links back to the private data center. Without these links, private cloud performance suffers. Full colocation, or managed clouds, addresses this.
Alternatively, organizations can maintain data in public and private cloud -- but it's not recommended. There are sync issues, and compliance is questionable. It also raises the question of whether to encrypt data at rest or in transit. Because of performance limitations, very little data is currently encrypted. The possibility of hackers or government agencies executing man-in-the-middle attacks make any of the aforementioned hybrid cloud models vulnerable.
Encryption services are still in development. New, specialized hardware may accelerate things, but encryption remains a luxury that's generally only used on confidential data that won't enter the public cloud. To protect the bulk of our data, the best we can do is build better firewalls, virus detectors and threat monitors -- and, of course, use them properly.
With an approved vendor approach, there's a good chance you'll gain IT's loyalty, along with some governance over shadow IT. Agility is key, with responses to requests in a day or two, versus the nine months legacy IT shops often quote.
SaaS vendor selection will cause much of the angst. Rather than trying to prevent SaaS, central IT needs to build a "shop" where all of the drudge work -- contracts, evaluation and testing -- is done for the departmental buyer.
Cloud governance is still very much a work in progress. It will take some time, and might slow the hybrid cloud movement as a result.
About the author:
Jim O'Reilly was vice president of Engineering at Germane Systems, where he created ruggedized servers and storage for the US submarine fleet. He has held senior management positions at SGI/Rackable and Verari; was CEO at startups Scalant and CDS; headed operations at PC Brand and Metalithic; and led major divisions of Memorex-Telex and NCR, where his team developed the first SCSI ASIC, now in the Smithsonian. Jim is currently a consultant focused on storage and cloud computing.
What is IT's role for cloud security?
Governance driving force behind hybrid cloud model
Defining the keys to cloud compliance<a