Cloud Computing: Advice for Application Control Freaks
The whole point of cloud computing is to easily leverage services you don't have to build and operate yourself. How do you make sure that the things you depend on will really be there over time?
Tue, March 29, 2011
CIO — In the good old days that weren't so good, we suffered from DLL hell: the need to find and certify libraries that we didn't write but did depend on. Cloud computing presents an analogous challenge with services we want to use, but don't really control. You might not see it the short run, but if you plan to have clouds applications operational over years, this can present a very real issue.
What strategies can be used to cope with the inevitable problem of cloud control?
In private cloud deployments, your organization has paid vendors for services or paid your own developers to create them. Consequently, standard contractual and configuration management tactics will work pretty well. So the basic function of the service — and the "API contract" — can be assured over time.
But that doesn't mean the service will really be useful: the security controls and user access privileges must be maintained, even as the services evolve and take on new user communities. For example, the CRM's sales cloud needs to be able to interact with the accounting system's commissions cloud, so that reps can plan for their boat payments and sales managers can design next quarter's sales contest. Since commissions are highly privileged compensation data, the accounting cloud will have careful controls on who can see what. As the accounting cloud is expanded by your team over time, its security policies may be modified in ways that are exactly correct within the domain of its cloud. But the ramifications of those policies on the CRM cloud can mean that users won't be able see what they're supposed to any more.
These security and access issues were probably handled when the clouds were initially integrated, but there needs to be an ongoing mechanism for accommodating the evolution that inevitably occurs across all the cloud services you depend upon. The classic security review / configuration control board needs to be extended up into the cloud.
Of course, there are tools and infrastructure that promise to make SOA governance a snap. But the reality I see with clients is that the solution is more about people, policies, and information sharing than it is about buying a product. Eighty percent of the problem is going to be solved with a well-cultivated wiki with people who know how to write and are empowered to manage the cross-cloud issues. Since these will be required as part of deploying an SOA governance product in any case, why not start with the basics and see how far you can get.
Slideshow: What is Cloud Computing?