Cloud Security and Governance

Talk is Cheap…

A lot of vendors talk a good game about how their cloud management tools manage fully governed clouds, but when you dig beneath the surface, the products lack the ability to provide on-demand, self-service access to applications and application platforms while meeting the governance, compliance and security requirements of real enterprises.

… But What is the Reality?

Peel back the covers on other cloud management tools and you’ll find one or more of the following issues for enterprise customers.

Policy-based Governance
Policy-based Governance versus Runbook Automation (click image to enlarge)

Workflow-Based “Policy”

Some cloud management tools tout their workflow-based approach to governance, compliance and security, even going as far as to refer to “workflow policies.” But the truth is workflow is not policy at all. It simply takes the existing manual actions and approvals in the current, inefficient IT operating model and puts them into a product, to be executed when someone makes a request. This is last generation technology that is not suited to the cloud operating model. Sure, you get some automation for deploying individual workflows and with enough decision points in the workflow and manual approvals inserted you can implement something that approximates policy, but the resulting complexity makes it impossible to maintain.

Infrastructure-Only Policy Controls

Many cloud management tools focus on management and policy at the infrastructure level. But this is insufficient to allow business users and developers self-service, on-demand access when the unit of provisioning is the application, application platform or service. You might be able to insure a PCI-compliant vSphere datacenter with infrastructure policy set in a configuration/compliance management tool. But unless governance, compliance and security policy is enforced at the level of the application itself, there is no way to ensure that an application using credit card data won’t be deployed in a non-compliant public cloud. Providing self-service access to applications and services with only infrastructure-level policy just allows people to do bad things faster.

Rigid, Pre-Defined Deployment Policy

Some cloud management tool vendors are on the policy bandwagon with their marketing, but all they really provide is some pre-defined deployment policies that are inflexible and can’t be extended. Unfortunately, for enterprise customers in highly regulated industries, this barely scratches the surface of what they need to deal with their governance and security requirements. Real enterprises require a true cloud management platform that provides an extensible meta model, allowing you to add new attributes that policy can reference to make decisions. You need the ability to write completely custom policies that can include:

  • Regulatory compliance policies
  • SLA policies including autoscaling
  • Security zones policies for each SDLC stage
  • Monitoring/auditing policies for each SDLC stage
  • Fine-grain access control policies
  • Enforcement of Standard Operating Environments (SOEs)
  • Workload placement policies
  • Backup and failover policies
  • VM quotas and scheduling
  • Metering/charge back policies
  • Much more…

No Concept of Application Lifecycle

This is actually a whole topic in itself. Click here to learn more.

The Only Enterprise Grade Approach to Cloud Management Governance

To meet the governance, compliance, security and other policy needs of real enterprises, you need:

  • A flexible policy creation and enforcement engine, that does not rely on manual workflow approvals/actions
  • Application-level AND Infrastructure-level policy control
  • Policy control throughout the full application lifecycle from initial development through production deployment and beyond
  • An extensible meta-model that allows you to add attributes and write any custom policy you require against them
  • A visual policy editor for non-technical staff and direct programmatic editing for technical staff

The ServiceMesh Agility Platform provides the only enterprise grade policy engine that meets these requirements.