Governing cloud applications across the enterprise

While cloud computing is an attractive alternative for organisations seeking to reduce their IT overhead, it’s not without its challenges. When moving applications and data into the cloud, some executives fear they will be giving up control and possibly compromising security.

To address these concerns, it is critical that IT management establish firm control and oversight over cloud initiatives. Cloud governance, which is a logical evolution of SOA governance strategies, offers a means to assert control over both internal and external applications and data. It also provides a unified, application-centric view of IT throughout the data centre and into the cloud.

Traditionally, managing applications as they transition between environments, such as during the migration from development to test and then production, has been challenging. The issue is usually not the code, but the application’s dependencies on other systems.

Directories, firewalls, Identity and Access Management (IAM), audit sinks, additional service providers—each of these may play an important role in the operation of a modern distributed system and can be challenging to coordinate when an application is promoted through its natural lifecycle.

This dependency problem is exacerbated when moving applications between the organisation and the cloud. The need to support elasticity, the potential benefits from brokering between different providers and the fundamental differences in how identity is validated all conspire in the cloud to make simple, scripted migration solutions impractical.

Modern applications rarely operate alone. Rather, they are assemblies of new code and existing services all shaped by the attributes of their environment. Multiple factors such as hardware architecture, libraries and operating systems all contribute dependencies to an application, adding complexity to any migration.

To help manage dependencies organisations have parameterised connection descriptions and then consolidated all of these as properties in a file or central registry. Those scripts were then used to drive migration. Since the scripts are usually hand coded for each application, it’s a time consuming process that is difficult to maintain over time.

When organisations began embracing Service-Oriented Architecture (SOA), they realised that many dependencies could be isolated from an application using externalised Policy Enforcement Points (PEPs). The PEPs take on the role of security gateway and by extension assume responsibility for external service dependencies.

In some ways, this is simply moving the dependency from one entity to another. However, PEPs are designed to effectively parameterise these dependencies as elements associated with an application.

This strategy of delegating security and management to an external PEP has proven its value in on-premise SOA. However, an on-premise SOA environment is more conducive to strong, centralised control, maintained by a staff organised into dedicated silos of responsibilities.

In this setting, PEPs are extremely effective at isolating security and management dependencies from applications and promoting a simple migration strategy for software within an enterprise.

New frontier: the cloud presents new challenges

The cloud presents new challenges due to its elastic nature and openness. Infrastructure that was readily available on-premise may not be accessible to cloud-resident applications. Elasticity can also be difficult to manage when traditional applications depend on external services to function.

The first step to safely deploying applications to the cloud is policy enforcement. In cloud environments, distributed enforcement is a more difficult and pressing problem than asset management. Management systems for policy enforcement need to be distributable so that there is no single point of failure.

These systems manage mission-critical applications: if a local network becomes segmented or a cloud provider is inaccessible, the management components should be locally available on every enforcement point. Finally, enforcement points must not be tightly bound to central repositories because of latency and reliability issues in the cloud.

Policy enforcement and monitoring are absolutely essential to cloud governance. Policy enforcement technology for clouds can create secure, managed communications between legacy applications in the enterprise and new applications residing in the cloud.

Policy is not just a way of articulating and enforcing security requirements: it is the integration glue between systems. A rich policy language meets the demands of business and IT, offering both high-level contracts like SLAs and billing as well as low-level details like dynamic routing, failover and data transformation.

Deploying virtualised, distributed policy enforcement points in front of cloud applications allows organisations to protect and manage their services. Application-level policy enforcement gives fine-grained access control and in-depth understanding of use patterns of actual services instead of virtual machines.

Not only does this protect data and applications from unauthorised use, it also ensures that the distribution of requests to virtualised application instances is properly managed.

Although the cloud presents challenges, it also presents significant benefits, including reduced costs and increased flexibility. Before embracing cloud computing, it is critical that organisations have policies in place to govern and migrate their applications. Applying technology we’ve learned from SOA – such as bundling applications and dependencies – is the first step to making the move to the cloud.

Scott Morrison is the Chief Technology Officer and Chief Architect at Layer 7 Technologies, providing the visionary innovation and technical direction for the company. He has extensive technical and scientific experience in a number of industries and universities, including senior architect positions at IBM.