Along with its benefits, cloud has a number of sometimes unwelcome fellow travelers. Among them are the issue of governance, authentication gateways (and whether to use them) and security in general. While these issues are similar to those found across the IT landscape, they are not identical.
To be sure, governance for SOA is a first step toward governance for cloud. According to Joe McKendrick of Joe McKendrick Research, accessing services across multiple platforms and systems is the essential challenge of cloud. “In the cloud, a service may be called from an application that is called by another application that is called by an end user. In other words, an authenticated end user may be two, three, four times removed from the actual service being accessed,” says McKendrick. This creates new types of challenges for authentication and access control -- a need for enterprise-level, standardized access control that cuts across all these degrees of separation, he says.
Fortunately, he notes, the lessons of governance in a cloud environment are the same as those that have been developed for service-oriented architecture and for enterprise architecture in general. However, he notes, when a cloud service is proposed or requested, there needs to be a process that looks at the purpose and scope of the service, as well as what other requirements may exist within the enterprise. Then -- and this is very important, he notes -- “there needs to be a step in the process that examines what other services or other assets already are available.” In other words, there needs to be way to manage the lifecycle of the service within an enterprise context. Otherwise, says McKendrick, you end up with a JBOCs architecture -- Just a Bunch of Cloud Services -- across the enterprise, “which will end up being more costly than the systems they replaced.”
And, that’s really the point, according to Gartner analyst Daryl Plummer. Cloud is supposed to be about not having to worry about architecture and design unless you are the provider. But that premise depends on governance. “Governance needs be responsible for two things; the systems behind the services need to be governed and the services themselves need to be governed,” he says.
Plummer says governance of services is often assisted by gateways. Gateways typically do four things, he notes, namely: security, management, encryption, and identity management.
Plummer says policies must now be federated across multiple services and across multiple gateways. API management is another specific requirement. If you are a provider like Etrade and you want to deliver APIs to partners or customers managing the use of APIs is very important. If not managed properly, they could swamp your system or you could be attacked and not know it, he says.
A gateway can help to manage these types of issues and in some cases, the gateways themselves can be virtualized, says Plummer. “If you have a cloud gateway as a service it just means that some other company has taken responsibility for running the gateway and making sure it identifies what it is supposed to do,” he says. In that scenario, all the IT operation does is specify their policies, they don’t need to do that work of managing or running the gateway itself, he notes.
David Linthicum, an analyst at the Bick Group says the non obvious challenge of cloud governance and security is that it is a new security model. “People tend to get confused by cloud security, which doesn’t have the same familiar user IDs and passwords – it is also expensive and requires talented people,” he says.
Governance fits hand in glove with security. “It determines what can be done with a resource after it is accessed. Governance provides the policies around services so that they are only allowed to perform actions that are in a range and if it is out of range they are disallowed and it is reported to somebody,” says Linthicum.
Governance also monitors dependencies. “If I am building an app using Amazon services and they change those services, governance should alert me that those have been changed so that I know to change other services before they ‘blow up,’” says Linthicum.
Linthicum says centralized, traditional security “just won’t cut it” in the cloud. “If security isn’t done right it will leave you more vulnerable and you won’t really get full value from the cloud,” he says.
“People trying to force traditional security into the world of cloud will come up short. You must spend the money now to figure out how you need to do it. Do some prototyping, learn what you can, and prepare for the fact that with cloud, comes SOA and a different way of dealing with security,” he adds.