FOR many enterprises looking to increase operational agility, cloud computing increasingly looks to be a more flexible and efficient solution.
Many of the technologies used by today's cloud environments - both public and private - are heavily based on open-source software, which offers robust application frameworks, rapid development, adherence to standards, vendor neutrality, and avoidance of vendor lock-in.
It is no secret that more and more businesses are embracing cloud computing. According to IDC's 2010 Asia / Pacific (excluding Japan) Cloud Services and Technologies End-User Survey, 24% of organisations in the region are currently using cloud, with 6% actively researching or testing out cloud services.
Additionally, 23% of respondents are planning to use cloud services over the next 12 months, while the remaining 47% have plans to use cloud services at some point after 12 months.
With thousands of services and data elements under management, there is a need to control how they are accessed, added, deleted, and altered, especially in environments that aren't under your physical control.
Therefore, IT governance is critical to the success of cloud computing - which is to say that cloud computing needs processes, policies, and procedures.
Virtualisation, dynamically moving workloads and an increased reliance on third parties for many types of IT functions mean that well thought-out and documented processes, policies, and procedures tend to be more important in cloud computing than with a more static and manual environment.
Governance is a broader concept than security and technology
When people talk about security or risk in the cloud, they are usually talking about governance. Security procedures and technology are part of governance, but governance is a broader concept.
Legal and regulatory procedures, transparency, service levels, indemnification, notification, and portability are all part of this bigger picture, especially as the discussion widens to include public cloud infrastructure providers and software-as-a-service (SaaS) vendors.
Consistency and portability are two of the most important pillars supporting well-governed cloud architectures whether on-premise, public or hybrid architecture. These concepts are closely related, but they are not the same thing.
Consistency refers to having a consistent runtime environment (such as an operating system or middleware) in different clouds, private and public. The same application should be able to run in both places.
For starters, this means that you can take a given Linux, Java, PHP, or whatever application and the target environment(s) will have the supporting software and hardware infrastructure that allows that application to run in the same way in all these places.
The bottom line is that the user of that application should not be able to tell where it is running. It goes without saying that the IT operations people need to know where workloads are running as well as specifying up-front where different workloads are allowed to run.
Multiple forms
One of the ways that consistency breaks down is that public clouds encourage ad-hoc development that doesn't necessarily comply with an organisation's standards for applications run on-premise.
This may be fine for prototyping or other work that is throwaway by design. However, it's far too easy for prototypes to evolve into something more - as often happened in the case of early visual programming languages - and the result is applications that either have to be rewritten or that may have support, reliability or scalability issues down the road.
Just because developers find that a given public cloud environment offers the cheapest and easiest path to write and test an application doesn't mean total application lifecycle costs will be lower. Public cloud-based development will happen though, so the best strategy is to recognise this inevitability and channel it in a way that fits within organisational standards.
Consistency goes beyond just technical factors though. Consistency between on-premise and public cloud environments also requires that the full runtime - including the applications running on it - be supported and certified by the same ISVs and others when running in the cloud or in the cloud (may want to clarify whether this means in a public vs private cloud, or in the cloud vs on premises), a commitment that is as much about business relationships as technical ones.
Portability takes multiple forms. Portable computing creates scalable private clouds that can be federated to a public cloud provider under a unified management framework.
Portable applications mean that developers can write once and deploy anywhere, thereby preserving their strategic flexibility and keeping their options open while lowering maintenance and support costs. Such services simplify development and operations by eliminating the need to re-implement frequently needed functions in private clouds and enable the movement of data and application features across clouds.
Portable programming models let existing applications be brought over to cloud environments or be evolved incrementally.
And, as with consistency, there are aspects of portability that aren't primarily technical - such as whether software subscriptions and licences can be transferred from one location to another. Consistent support and maintenance environments are also essential elements.
Organisations are expected to use public cloud providers in various forms - the goal should be to govern that use, not block it
Cloud computing infrastructure allows for rapid experimentation and expansion. Hosted applications can often be brought online more quickly than conventional on-premise software and thereby start delivering business value faster.
The reality is that cloud computing in some form will happen throughout all organisations whether as the evaluation and adoption of a new CRM platform through a formal IT process, the ad-hoc use of public cloud infrastructure by developers, or the "bursting" of an on-premise cloud to a public cloud to gain temporary capacity.
Given the importance of properly securing data and minimising lock-in to specific third-party provider, it is especially critical to bring cloud computing activity that involves corporate data or production applications under a common governance umbrella.
For the vast majority of organisations, simply forbidding the use of public cloud resources and applications is a poor strategy. For one, it cuts the organisation off from the benefits of using those third-party providers. Secondly, that approach is unlikely to work as the unofficial use of personal mobile devices and free or inexpensive Web-based services of all sorts, tend to happen.
It is better to acknowledge that reality and make public cloud resources an explicit part of overall IT governance. An IT organisation might, for example, freely allow personal devices to access corporate e-mail but put in place mechanisms such as tokens that add a layer of security to that access. Perhaps the most important process is to involve users in formulating the policies rather than creating an "IT vs everyone else" dynamic.
Cloud computing isn't "risky" any more than IT overall is risky. Rather, like all IT activities, cloud computing projects should be undertaken in a way that both mitigate risks and considers those projects in the context of IT as a whole.
(Dirk Peter van Leeuwen is vice-president and general manager at Red Hat Asia Pacific.)
