Friday, 7 September 2012

Should I be in the Cloud? What if it Rains?

A perspective on Cloud governance and implying standards.. 

The adoption curve for cloud computing is on the rise for today’s organizations. However, a majority of enterprises still consider it to be more hype than reality, thereby failing to realize the benefits of disruptive innovation. There is a growing realization however that on-premise computing has its own limitations. For many next generation applications the elastic and affordable power of the Cloud actually becomes a necessity. A few top ten prevalent jokes about cloud computing:

Cloud computing should be named Cloudy computing, because it's precipitous, vague, messy, hazy and unpredictable.
If your hot computing Cloud bumps into a cold computing Cloud, you get Lightning computing, followed by stormy computing and network outages

Jokes apart: is it about time we started to govern the cloud? If so should this be limited to the technology or should it focus on the operating model in order to make it more secure?  These are the some of the important questions that organizations are asking today when adopting disruptive innovation in order to maximize “as a service” transformation enabling better reach and integration with customers, partners and suppliers.
In order to ascertain the intricacies of Cloud it is important to understand the relationship between Service Oriented Architectures (SOA) and Cloud, not only at an architectural level, but also at a business solution and service level. SOA as defined by The Open Group (A vendor neutral, technology neutral global consortium with membership of 400 plus organizations enabling the achievement of business objectives through IT standards ) to be “an architectural style that supports service orientation. Service orientation is a way of thinking in terms of services and service-based development and the outcomes of services.” 

According to NIST, “Cloud Computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.” The Service models are Cloud Infrastructure as a Service, Cloud Platform as a Service, and Cloud Software as a Service.  The service models, and the fact that cloud computing is discussed in terms of the creation, delivery and consumption of cloud services, means cloud computing supports service orientation. Enterprises expose infrastructure, platforms and software as services as part of SOA solutions today. Certainly Software as a Service is not new and has been a hot topic for years.

Cloud deployment models typically are Private, Community, Public, and Hybrid. These deployment models define the scope of the cloud architecture and solution, does the cloud solution exist strictly within the organization boundaries (private), across organization boundaries (public), or a combination (Hybrid). Certainly these scopes have been seen in SOA solutions before Cloud (while there was not a well known architectural model for them as there is in cloud computing), there are SOA solutions that exist strictly within an enterprise, or between businesses across enterprise boundaries (B2B). In fact one of the key values of SOA was to develop SOA solutions with services that are integrate between business partners, enabling outsourcing, simplifying integration and increasing agility, much like the Hybrid model. Cloud computing enables this paradigm by adding cloud-characteristics to the services being delivered & consumed.

The essential characteristics for Cloud Computing are on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured Service. These characteristics can be found in requirements and SOA solutions in various organizations today, although these characteristics are optional for SOA and mandatory for cloud.

 They say “when it rains it pours”. The primary concerns around Cloud computing include:
·         Business Buy-In
o    Business process and Application portfolio and transformation?
o    Is the executive team sponsoring the initiative?
o    What is the ROI and TCO?
o    What are the business priorities?
·         Security and Compliance :
o    Where is the data?
o    Who can see the data?
o    Who has seen the data?
o    Is data been tampered with?
·         SLA
o    Where is processing performed?
o    What about the functional and non-functional SLA?
o    Do regular backups happen?
o    How is accountability maintained?
·         Interoperability
o    Where are the critical integrations in a business process?
o    What about standards (internal to the org OR adopted from the industry)?
o    Which platform to be used?
o    What about service metrics?

Cloud Computing Governance paves a way to address these concerns.  Cloud Computing governance  is a view of IT Governance focused on accountability, defining decision rights and balancing benefit or value, risk and resources in an environment embracing cloud computing.  Cloud Computing Governance creates business driven policies and principles that establish the appropriate degree of investments and control around the usage of cloud computing services.

This ensures all enterprise expenditures related to Cloud are aligned with the business objectives, promotes data integrity across the enterprise, encourages innovation, and mitigates the risk of data loss or non-compliance with regulations.  It recognizes that cloud computing increases the pervasive nature of IT and ensures enterprise-level decision makers are able to address the overall IT investment, resource requirements, opportunities for value, and implications of risk – regardless of organization or delivery provider. 

What is new about cloud is that instead of supporting interoperability requirements per solution, the industry is trying to ‘standardize’ how these requirements are being met to enable cloud computing. Cloud architectures require a set of capabilities and architecture building blocks to meet the NIST essential characteristics that are optional in SOA. In addition, these architectural building blocks may be implemented in Cloud specific ways to handle scale, cost optimization and automation.

Cloud governance should focus on the following key characteristics (a) transparency (b) physical security (c) Logical security (d) Data Integrity  in relation to the on / off premise deployment models (private, public, hybrid) .  

Let’s now consider services… A service is typically defined as:
  • Is a logical representation of a repeatable business activity that has a specified outcome (e.g., check customer credit; provide weather data, consolidate drilling reports)
  • Is self-contained
  • May be composed of other services
  • Is a “black box” to consumers of the service “
Cloud services(i.e. public/private cloud IaaS, PaaS and BPaaS) , according to this definition, are similar to SOA services.  However, not all SOA services are Cloud service because they require automated deployment and management as well as offering support in order to support the Cloud characteristics.
It is essential that the architecture design authority / review board emphasizes the creation and maintenance of Cloud reference architectures on the enterprise continuum.  Cloud reference architectures are more interoperable than domain architecture scoped to service delivery and management. It helps when principles and architectural decisions have been premade already to enable the Cloud computing architecture to be self service, network accessible, and scalable.
Cloud governance will enable architectural building blocks that have already been identified for Cloud solution architects to use for operational and business support. This also enables flexibility to use off the shelf cloud service providers who provide well defined, maybe even standardized, management and security support as a service.  
For cloud governance to work, some service identification has to be done in advance (reusable, utility services, for example, to control VMs and deploy/undeploy applications or services) and implementations of services may be available from an existing services ecosystem. The existence of this services ecosystem and concrete architecture makes services via cloud simpler for service consumers to adopt because the designs and implementations have been provided. 

The benefit of recognizing the heritage of Cloud governance as an extension from SOA governance is that the existing experience over the last 5 to 8 years and standards already available for SOA and SOA solutions can be applied to Cloud Computing and Cloud solutions.
Some of the SOA standards that can be applied to Cloud include:
  • SOA Integration Maturity Model – this model helps determine the level of service use in an organization, these levels apply to the use of cloud services.  Cloud computing can be seen as the ‘Virtualized” and “Dynamically reconfigurable” levels.
  • SOA Ontology defines service and SOA concepts which can be used as a basis for describing cloud services, though extension Ontologies should be developed for cloud..
  • The SOA Reference Architecture defines the functional and cross cutting concerns and architecture building blocks for SOA, which also applies to Cloud.
  • The SOA Governance Framework defines a governance reference model and method that applies to the development of cloud services and solution portfolio and lifecycle management. Best practices for governance of Cloud solutions will need to be developed in addition to this standard.
  • Security for Cloud and SOA go hand in hand to enable both physical and logical security considerations for services.
Certain functions that may have been optional for SOA solutions are now mandatory for Cloud solutions, like virtualization, security across business boundaries, and service management automation.  New functions and requirements are getting in focus with cloud driving experiences from the SOA world to the next level.  The functional concerns: operational systems, service components, services, business processes and consumer interfaces; all exist in and are relevant to functional concerns for cloud architectures.

In summary, Cloud reference architectures that focus on the following enable enhanced fit for purpose governance addressing some of the important concerns around interoperability, security and compliance and SLAs:

  •      Operational Layer: Infrastructure is part of the operational systems layer, but important in Cloud architectures because Cloud imposes new requirements on infrastructure to enable broad network access, resource pooling, rapid elasticity, virtualization and scalability. 
  •      Service Layer: The common cloud service types, XaaS, are identified in the services layer. These cloud service types, like other services, use and sometimes expose assets in the Operational systems layer. For cloud services, which assets are exposed is often the focus of the service type, i.e. within operational systems, hardware infrastructure is exposed as IaaS, and middleware is exposed as PaaS, and business process as BPaaS.
  •      Business Process:  Business processes participate in a Cloud solution much like they do in SOA solutions, they can be provided as a service (BPaaS) or be the consumer of services (whether they care cloud services or not). Additionally, business processes within a cloud provider organization need to be restructured and streamlined in novel ways to meet much faster time-to-deliver, time-to-change and cost objectives..
  •     Consumer Layer:  The consumer layer is more strictly and carefully separated from the services and service provider to allow pooling and substitution of cloud services or providers. 

Contribution as Chapter Leader for The Open Group book on Cloud Computing for Business

Link to the Open Group book : Cloud Computing for Business