Q&A: Cloud Policies 101
What should cloud policies address and how do these policies help IT deliver self-service features for users?
Enterprises are coming to terms with cloud technology, which provides self-service access to a wide variety of applications and services. How should IT manage its cloud policies -- what should those policies cover and how do they help IT deliver self-service features for users? To learn more, we turned to Eric Pulier, the CEO of ServiceMesh, the developer of an enterprise cloud management platform. Pulier is also the executive director of the Enterprise Leadership Council.
Enterprise Strategies: What is the purpose of cloud policies? What areas should they address?
Eric Pulier: Think of it this way. The cloud enables a new IT operating model that provides self-service, on-demand access to applications and services to business users and developers. Without proper policy-based governance, compliance, and security controls in place, the enterprise is at massive risk. Policy-driven governance is necessary to avoid reckless use of cloud-based resources, also sometimes known as “shadow IT.”
Ungoverned IT usage can result in very real and dangerous consequences such as when corporate data is exposed, services go down, regulations are violated, backup plans are overlooked, or a myriad of other IT safeguards are ignored. A lack of control over who can provision a workload to the cloud, where it can be deployed, for how long, and at what cost or capacity is a recipe for disaster.
There are many areas that policies must address:
User/group access: to limit access to cloud services including role-based access controls (RBAC) and federated identity management
Asset entitlement: to restrict user access to specific assets types, such as operating systems, middleware components, scripts, and topologies
Deployment: to limit deployment of workloads and data to authorized environments based on a wide range of policies (PCI, HIPAA, localization policies, geographic constraints, and other governance and security mandates)
Orchestration: to apply multiple layers of policies across assets and services in order to enforce configuration management standards and standard operating environments (SOE)
Service-level agreement (SLA): to dynamically scale-up and scale-down application/platform topologies based on compound auto-scaling rules and performance thresholds
Security: to enforce security-zone compliance using policies that orchestrate host- and hypervisor-based firewalls, AV, HIDS, virtual networking, data encryption, and other security tools and utilities
Life cycle events: to enforce policies at various life cycle events such as startup, shut down, and SDLC code promotion
Backup and failover: to enforce high availability and disaster recovery policies
Resource constraint: to limit the maximum number IT resources consumed including instances, CPUs, memory, etc.
Lease and scheduling: to control the duration and scheduling of instances deployed
Chargeback/metering: to limit resource consumption and meter consumption based on customizable pricing models
Dynamic work: to monitor event streams from workloads and third-party systems and perform compound event correlations to execute pre-defined policies and actions when thresholds are exceeded
How are these policies different from other enterprise IT policies, such as security policies?
They are different in that they must be enforced dynamically across a federation of private, public, and hybrid clouds, across the full life cycle of applications, and without manual intervention to achieve the on-demand, self-service IT operating model that the cloud engenders. Note that security policy is an important aspect of cloud policy.
How does such a policy help heavily regulated enterprises deliver self-service initiatives?
This question is best answered by providing an example:
Consider the enterprise that needs to enforce cloud deployment policies based on individual software project requirements such as regulatory constraints, cost, security zone, geography, and other attributes:
Marketing application project is OK to be deployed in Amazon EC2 public cloud
German development team can only deploy to localized EU-based cloud environments
Sandbox users can only deploy to compute resources < $125 per month
Payment processing team can only deploy their application to PCI-compliant clouds
The “Wealth Mgmt” dev team can only deploy projects in the “DC4 Trusted” security zone (which is a custom extension of the meta model).
Here is our definition of the new cloud IT operating model: Self-service, on-demand IT means business users, developers, and others automatically provision and manage applications, services, and application platforms and associated infrastructure resources themselves, with no requirement for manual intervention by IT. Without policy in place and the ability to orchestrate the deployment and management of complex application topologies, you cannot achieve this. There will have to be manual approvals and intervention by IT, which obviates the idea of self-service, andon-demand access to resources.
In your experience, how well are enterprises doing in creating and maintaining their cloud policies?
Our experience is that they need a policy-driven framework within a cloud management platform that provides an extensible meta-model to allow the creation and enforcement of any custom governance, compliance, and security policy. Without this framework, they flounder.
What's getting in their way? What tools or services would help them do a better job?
Truth is that they are often hampered by tools that came from either run-book automation or virtualization automation and re-branded as "cloud-ready.” These tools focus on workflows that simply implement the existing, manual, and inefficient IT operating model in a product. At scale, the workflows become impossible to maintain and are almost impossible to write in a way that accommodates the entire application life cycle.
Other approaches include rigid, pre-defined cloud deployment policies that do not meet the needs of real enterprises. There is much more to cloud policy than simply where a particular application can be deployed and, once again, the life cycle state of the application is ignored. We have had numerous customers adopt our solution after struggling for months trying to use these tools to achieve a cloud-operating model (on-demand, self-service IT). Sorry to be blunt, but this is a fact. They required a cloud management platform with a policy driven framework as I mentioned.
What products or services does ServiceMesh offer for building or managing cloud policies?
The ServiceMesh Agility Platform delivers robust policy-based IT governance and security controls based on an extensible meta-model, enabling the creation and enforcement of an unlimited range of custom policies. These declarative, application-centric policies provide fine-grain control over users, groups, projects, workloads, environments, schedules, quotas, billing, security, and any other parameter in the meta model. Agility Platform can programmatically handle policy conflict resolution, and provides complete visibility/accountability through policy auditing and reporting. The Agility platform provides and extensible meta-model that allows enterprise to enforce governance, compliance and security across a federation of public, private and hybrid clouds. The solution also provides a drag-and-drop visual policy editor to speed policy creation.