June 23, 2009, 4:30 PM — With companies increasingly deploying virtualization technologies throughout the IT environment, Vancouver, B.C.-based Layer 7 Technologies Inc. announced this week a virtual appliance for policy enforcement in the cloud.
The governance and security technology vendor released Layer 7 SecureSpan Virtual Appliance for cloud governance, based on the same functionality as its hardware offerings, but in a software version that is cheaper and easier to deploy, said the company's chief architect, Scott Morrison.
The idea is to give businesses the ability to enforce governance throughout their entire IT network by managing communications between services or defining access to different services, said Morrison. "(They) can get policy enforcement not just within existing SOA on-premise ... but can begin to move out to the cloud as well," he said.
Traditionally, organizations have attempted to implement governance in the cloud as a point solution, said Morrison, using the coarse-grained approach to security that cloud providers offer. But, he said, what is needed is an approach that is finely grained and pushes policies to all devices, monitors activity and drills down to any one instance.
The single biggest fear for businesses considering the cloud is loss of control of data, said Morrison, but they are slowly recognizing the importance of cloud governance, said Morrison. "Cloud governance is fundamentally about a formalization of how you approach the security, monitoring (and)transformation of your data," he said. Technology is the foundation of governance, allowing an organization to implement those policies, he said.
It's vital to have governance in place immediately when moving to the cloud even if it's just a single service, noted Morrison, given the potential threats.
And, factors like complex vendor contracts, expectations regarding service level agreements (SLA), and increasingly complex regulations play a role in designing a cloud governance program, he said. For instance, an SLA-based policy can articulate something like throttling a back-end service because it can only handle 10,000 requests per second. Or, a regulatory compliance-based policy could define filters on data entering and leaving a system.
According to Steve Smith, senior director of Surrey, U.K.-based Coda Research Consultancy Ltd., cloud governance requires the direction of someone at the same authority level as the chief information or technology officer, who then works with stakeholders to sketch the requirements of a cloud initiative. "As with data governance, cloud governance is about vision, oversight and leadership," said Smith.
Organizations should first assess whether the business is even suitable for cloud services, and if so, which processes, software and data are to be put to the cloud, said Smith. Money saved from migrating generic and vertical market processes to the cloud should be re-invested in the business' core processes, he added, whether those core processes, too, remain onsite or not.
There also should be enforced policies concerning outgoing and incoming traffic, and cloud services. "Who is using cloud services in the organization, for what, how often, how long, and at what cost?" said Smith. "This helps to derive value and assess security."
After migrating to the cloud, Smith suggests undertaking regular reviews to monitor service performance according to cost, service level agreements and organizational objectives.
"As the cloud market heats up, investigate other providers and their services and arrangements," said Smith. "Look at whether processes that are still run in-house should move to cloud services."