In order for cloud computing to live up to its many promises, analysts say it is essential that it operate within governance practices that are connected to the enterprise and that make those cloud-based services reliable and trustworthy.
David Linthicum, chief technology officer at Bick Group, a consulting firm that focuses on cloud computing as an element in improving data center efficiency, offered some thoughts on how to overcome the governance shortfall. For starters, says Linthicum, don’t expect to do governance on the cheap. “Governance is expensive – a good 20 percent of your budget may need to be spent on getting it right,” he says.
For example, it is important to understand service dependencies. Service dependencies are what’s involved when various services are coupled together. If you are creating a composite application out of many services, then those services are dependent on each other, notes Linthicum. Likewise, if there are service dependencies within an existing architecture they must be known to the governance structure. If anything in the system changes all the dependencies must be known to the person making the changes.
“We are talking both inside and outside the organization,” warns Linthicum. “My view of the world and the whole SOA and cloud conversation is really about extending your architecture to the cloud,” he explains. But what does that mean? Are you creating a hybrid? Is it public or private? In any of those scenarios, you may have unrecognized dependencies. For example, he notes, many companies are leveraging SalesForce.com within their applications, creating an unacknowledged dependency. “That is something on the public cloud, a software-as-a-service, and people have internal enterprise applications depending on those things,” he says.
One way to begin to address these challenges is by establishing service policies. Service policies are rules that describe how services are accessed as well as how you are informed of changes and how others are using the services, explain Linthicum. “If you aren’t careful about these things you can bring down a business… you need to create sophisticated and complex architectures and policies written around services so you know how to maintain and operate services over time,” says Linthicum.
You need the ability to look at services to make sure they are alive, healthy and working together, because if just one service goes down, it can bring down the other services and applications that are dependent on it. “The world of cloud makes that even more complex because in many instances we are governing services that we don’t own but we still somehow must control and understand,” says Linthicum.
Governance software is a good place to start, says Linthicum. Such products can provide either design-time service governance or run-time governance. “The difference is that design time is how you are going to do it – you define it. Run time, which has been emphasized more in the last few years, is where you just do it,” and monitor what happens, says Linthicum.
Linthicum says that with few exceptions, implementing cloud services without governance will inevitably lead to failure unless you are working with an extremely simple architecture. “I haven’t seen anyone succeed without governance,” he says. Linthicum recommends leveraging run-time governance to track your services and automate the monitoring of those services.
Then, of course, there are the external realities that compel good governance – in particular, regulation. “You need have governance to stay within the bounds of law, and you would typically do that through a governance infrastructure by setting policies relative to things like HIPAA and Sarbox, and by providing monitoring and some security requirements,” says Linthicum.
More often than not, says Linthicum, these issues are dealt with as afterthoughts when, in fact, they should be designed into a cloud-SOA solution from the start. “So that means on a cloud project that I run, I always have a governance person and sometimes a team. It must be built in because it is hard to retrofit,” he adds.
Longer term, Linthicum predicts that as cloud becomes more popular cloud providers will learn how to govern their own services. “It is clear to me that it is going to be on their roadmaps going forward; Amazon already provides rudimentary governance capacity now. Rackspace.com, Gogrid.com and Salesforce.com are either “building their way toward that or buying their way toward that,” he adds.
Linthicum emphasizes that there is a tipping point where suddenly it all gets hard to manage, and you can get there pretty quickly, says Linthicum. “It is the Wild West right now, and when organizations hit that magical number of around 500 services they find that things become unstable and the system gets bad PR,” he says. As a result, users don’t want to use the services, and when the services are “repaired” they become unwieldy because governance and security wasn’t planned into them. “Then you end up with what we call JBOWS -- just a bunch of web services,” he says.