In many ways the concept of federated cloud is ironic. Cloud computing rapidly gained traction because of its ability to manage the complexity of multiple legacy environments while consolidating infrastructure. But as organizations move forward with various cloud initiatives, many CIOs are now wrestling a sprawl of clouds that seems to be spinning out of control. \n"We've seen a lot of business people who are going rogue and making investments in the private cloud as opposed to working together with the CIO to develop a unified plan for how best to leverage the cloud," says Peter High, president of Metis Strategy. "While many different parts of the business are making these decisions independently, when you add them up, these decisions may be very disparate." \nBeth Cohen, technology thought leader with Cloud Technology Partners, echoes those sentiments. "We're also seeing a lot of business units hopping onto the cloud in various ways that is causing a headache for CIOs," she says. "There is no question that CIOs are starting to think about the federated cloud." \nConsider the following: \nBusiness unit leaders, intent on accelerating time to market, are dialing up public cloud application services almost on a whim. Executives can get immediate access to sophisticated customer relationship management, human resource management, and many other services in minutes by filling out online forms and providing a corporate credit card. Enterprise IT organizations often have no idea that external providers are supporting these business processes. But it is happening, and at an accelerating pace. Gartner expects the worldwide software as a service (SaaS) market to grow by 21 percent in 2011 alone. \nA growing number of application development teams are turning to external infrastructure resources. Faced with stringent make-or-break deadlines, many developers are spinning up processing and storage resources from external infrastructure vendors to test new ideas and even roll out new services. They simply do not have the time or the financial resources to wait for IT organizations to requisition and implement traditional servers and platforms. Application development is just one of many demand factors that have prompted analysts at Technavio to predict that the global Infrastructure-as-a-Service (IaaS) market will grow at a 48 percent clip between now and 2014. \nMeanwhile, IT organizations respond to unexpected competition from public cloud providers by web-enabling their own internal infrastructures. One of the reasons a lot of business is going outside of IT is for the self-service that many public cloud services offer. "It is going to become imperative that internal IT develop some kind of self-service mechanism," says Cohen. Technavio says the private cloud server market is currently growing at a compound annual growth rate of 12.7 percent. \nCIOs, in short, are facing a mixed bag of cloud environments that need to be integrated and managed to ensure operational efficiency, strong security and good governance. That's where federated cloud comes in. Federated cloud frameworks allow for the deployment and integrated management of multiple external and internal cloud computing services. \n\nThree basic types of connections need to be made: \nPublic cloud-to-private cloud \nPrivate cloud-to-private cloud \nPublic cloud to public cloudPublic Cloud-to-Private Cloud Integration\nOne of the key initial challenges CIOs face is getting a handle on exactly how much public cloud activity is happening. In many instances, the first time the IT organization gets a clue that an external service is being used is when a call comes in to address a problem with a cloud provider. \nOnce they are identified, IT leaders can reach out to determine why the business units bypassed internal resources in favor of cloud providers, then define a path forward that makes sense for both end users and IT. Many CIOs find internal options to public cloud providers are not adequate. This leaves IT with the option of resisting end user demand for the service or figuring out how to responsibly enable business units to access these services in a more secure and compliant manner. \nIf, as is increasingly the case, companies select the latter option, then the IT organization can serve as a central clearinghouse of public cloud providers to the enterprise. It becomes the responsibility of the CIO to create processes and mechanisms that end users can employ to purchase third party services in a risk-adjusted and appropriately supervised manner. The key responsibility of IT is to ensure that proper data controls are in place. Also important is ensuring that enterprise data pushed to a public cloud provider can be brought back in to the enterprise quickly and securely if need be. Additionally, the IT organization can explore opportunities to establish integration points between public cloud applications and internal assets using application programming interfaces. Private Cloud-to-Private Cloud Integration\nMost organizations that move forward with private cloud initiatives do so at a departmental level. In many cases, cloud efforts build on virtualization initiatives that consolidate data center investments and optimize resource utilization. As a result, most Fortune 1000 companies have multiple private cloud environments in different stages of maturity. \nThere is a growing consensus that the key to managing internal private cloud sprawl revolves around the adoption and disciplined deployment of IT Service Management principles. This provides a common approach to designing web-based cloud services provisioning capabilities across the enterprise. It will also go a long way toward facilitating internal cloud integration. Public Cloud-to-Public Cloud Integration\nAs CIOs develop their federated cloud strategies, one of the things they want to avoid is being locked into a particular vendor or service provider. As a result, many IT organizations are looking for ways to enable data portability. CIOs want the ability to move data from one cloud provider to another if they are dissatisfied with the service they are receiving. \nAt this point in the young history of the cloud, there are no broad, well-accepted public cloud standards. However, because of the web-centric focus of most cloud architectures, it is relatively easy to develop APIs to enable this portability. Best Practices\nThe federated cloud concept is still new. Nevertheless, given the double digit pace at which all categories of enterprise cloud computing are growing, it will be critical for CIOs to establish a unified framework for managing these environments. \nErik Sebesta, founder and chief architect and technology officer for Cloud Technology Partners, has been helping clients build an application development framework. Clients go through their application portfolio and determine where each application should live and which are mission critical, meaning core to the enterprise with sensitive data. \n"As a result, it comes down to where an application should be built. Should it be built on a public platform as a service, on a private platform as a service? Should it be migrated to a SAAS platform? Should it be brought into a managed service?" Sebesta says. "The starting point is really to develop an application decision framework and from there, build out solutions." The common framework must provide governance guidance on what type of applications and data are allowed to go into the public cloud environment, and what must stay inside the firewall in a private cloud environment due to regulatory and corporate compliance requirements. The framework should also offer insight into how management and monitoring resources can be shared and optimized to create transparency and facilitate integration across all of the cloud environments. \nIrfan Saif, who leads Deloitte's security and privacy practice for the technology, media and telecom sectors, believes that defining a holistic strategy is critical with any cloud implementation. Users must also understand their responsibilities, especially as they relate to regulatory compliance, security and risk management. Where are the lines drawn? What kinds of specific requirements do you have? How can you make sure they are adequately embedded into the contract? \n"Make sure you have a vehicle to go out and test these third party solution providers to make sure they are doing what they say they are doing and that they are in compliance with the requirements you are putting on them," Saif notes. "Ultimately the responsibility lies with you. It's your data or it's data about your customers."