cloud governance - gartnergartner.com.br/tecnologias_empresariais/pdfs/brl37l_c5.pdf · cloud...

Cloud Governance

Enterprise Integration Summit

April 13-14, 2010 WTC HotelSao Paulo, Brazil

Daryl Plummer

Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from Gartner. Such approvals must be requested via e-mail: [email protected]. Gartner is a registered trademark of Gartner Inc or its affiliates

This presentation, including any supporting materials, is owned by Gartner, Inc. and/or its affiliates and is for the sole use of the intended Gartner audience or other authorized recipients. This presentation may contain information that is confidential, proprietary or otherwise legally protected, and it may not be further copied, distributed or publicly displayed without the express written permission of Gartner, Inc. or its affiliates. © 2010 Gartner, Inc. and/or its affiliates. All rights reserved.

Gartner is a registered trademark of Gartner, Inc. or its affiliates.

Cloud Governance

According to the Merriam-Webster online dictionary, here is the meaning of the word "policy":According to the Merriam Webster online dictionary, here is the meaning of the word policy :Main Entry: 1pol·i·cy Pronunciation: \�pä-lə-sē\Function: nounInflected Form(s): plural pol·i·ciesUsage: often attributiveEtymology: Middle English policie government, policy, from Middle French police, policie — more at policeDate: 15th century1 a : prudence or wisdom in the management of affairs b : management or procedure based primarily on material interest2 a : a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions b : a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental bodyThe word "policy" is generally used with a qualifier such as security policy or performance policy. Without these qualifiers the term can be rather nebulous and imprecise. Regardless, if there is a policy in place, then at some point that policy must be enacted upon and enforced. For example, a policy around data privacy must be enforced throughout an SOA environment, throughout an i i i d h h l i i ll b i i

Page 1Daryl PlummerBRL37L_115, 4/10


integration environment and throughout a multi-enterprise collaboration environment.It's time to start thinking about policy in the abstract; forcing us to develop and deploy mechanisms and technologies to enforce a policy, regardless of technology or physical domain.

1

Cloud Governance



Cloud Governance

Key Issue: How have the technologies and mechanisms for governing SOA changed andKey Issue: How have the technologies and mechanisms for governing SOA changed and matured?What is a multi-domain registry/repository (MDRR) and why is it important? To understand, think of a registry/repository traditionally seen as part of an SOA architecture. It is supposed to include addresses of the services available in the SOA, plus metadata about the services, such as their policies. Now think about how organizations are starting to rely on cloud-based services, such as Amazon S3 (storage) and Force.com (sales force automation). These services are not on-premises SOA reusables, so they are not in the SOAforce automation). These services are not on premises SOA reusables, so they are not in the SOA registry/repository. But the organization relies on them! This means that the registry/repository must be extended to contain a full list of the services which are used by an organization, and the metadata that is kept in the registry/repository will be very different, depending on whether the service is implemented in the cloud or not. These off-premises services need to be included in a multi-domain registry/repository alongside internal on-premises services (that's why it's "multi-domain"). From an organization's standpoint, all of the services they depend on are in one place.



Strategic Imperative: re-evaluate your current registry/repository strategy and look at ways to start capturing virtual artifacts such as those from cloud-based services within your registry repository.

Cloud Governance

Client Issue: Which will be the leading management vendors for Web-services-based applications?

Key Issue: How have the technologies and mechanisms for governing SOA changed andKey Issue: How have the technologies and mechanisms for governing SOA changed and matured?For the past two years, most of the SOA governance technology markets have been focused on the registry/repository; specifically the life cycle management capability of registry/repositories. As we start to extract the policy layer, issues such as policy enforcement have once again become center stage. In the early days of the SOA governance technology market, the focus was on ensuring that access control was addressed. Although companies such as AmberPoint, Progress Software and SOA software offer several ways of enforcing policies, the most popular ways are the use of agent technology and network proxies. Agentenforcing policies, the most popular ways are the use of agent technology and network proxies. Agent technologies focus on injecting small snippets of code within a SOAP header to proactively monitor and control the service. Many companies have found that as they move through their SOA deployments, the majority of their services are already in existence and it isn't practical to re-engineer them and embed agent capability. A proxy or gateway approach has become much more commonplace and is the preferred mechanism for appliance vendors such as IBM Datapower, Layer7 Technologies, Alcatel Lucent, Sonoa Systems and Vordel.Action Item: Although you may lose some ability to be proactive, the use of enforcing policy using gateways



g y y y p , f f g p y g g yand proxies is much less obtrusive. Look for policy enforcement technologies that allow you to both manage and monitor from the gateway.

Cloud Governance

Tactical Guideline: In lieu of standards for federation, use data synchronization technologies, such as ETL tools, to integrate metadata registry/repositories.

Key Issue: How have the technologies and mechanisms for governing SOA changed andKey Issue: How have the technologies and mechanisms for governing SOA changed and matured?Although there is a lack of true standards when it comes to the federation of service artifacts, many of today's policy stores such as access management systems, directory systems and configuration management databases (CMDBs) offer mechanisms and specifications for federation. Unfortunately these systems only focus on access and authentication policies and configuration policies. In some cases these federations are only one way. Technology providers such as HP, IBM and Software AG are proactively publishing their own proprietaryway. Technology providers such as HP, IBM and Software AG are proactively publishing their own proprietary governance models to encourage third-party governance technologies to support true federation between registry/repositories.

Caution Action: It is not enough to merely integrate with your directory services. Start evaluating the federation capabilities of the registry/repositories associated with your integration environment, multi-enterprise collaborative environments, cloud environments, systems management environments and business



enterprise collaborative environments, cloud environments, systems management environments and business process management environments.

Cloud Governance

Strategic Planning Assumption: Through 2009, 60% of companies acquiring SOA governance technologies will choose best-of-breed solutions and choose to integrate them in house.

Key Issue: How have the technologies and mechanisms for governing SOA changed andKey Issue: How have the technologies and mechanisms for governing SOA changed and matured?Because achieving service-centricity is a goal of overall IT and not just the SOA teams and projects, the notion of federation must be present throughout other technology domains in the infrastructure. This slide shows examples of two major specifications and the vendors that support these specific governance interoperability specifications. In the past, ecosystems and alliances have been built on providing additional functionality, which may or may not have been lacking from a specific vendor. Today these ecosystems and alliances are built on the ability to federate information throughout multi-domains. This leads us to believe that companies will start to see strategic alliances based on federation between companies that normally compete in the open marketplace — all for the sake of organizations that elect to pursue a best-of-breed approach which results in a heterogeneous environment.

Strategic Imperative: Examine your SOA infrastructure vendors in the context of the ecosystems and alliances in which they participate to establish those supporting a consistent approach to federation Look to their



in which they participate to establish those supporting a consistent approach to federation. Look to their partners to ease the complexity around federating policy between technology domains.

Cloud Governance

Key Issue: How will companies evolve to share their internal services and applications with their business partners?

Key Issue: How can I leverage my existing technologies to govern the interactions with myKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?The phenomenon of cloud computing is still in its infancy. When companies are asked if they are consuming cloud-based services, the answer is usually "none" or "one or two, maybe." The reality is that we have been consuming services that could be assimilated to cloud-based services for the better part of 10 to 15 years. The logistics capabilities that have been provided via Federal Express, UPS and DHL are a great example. Another example is the payroll services that have been provided by companies such as ADP, or integration as a serviceexample is the payroll services that have been provided by companies such as ADP, or integration as a service in the B2B multienterprise world. The reality is, as we start to consume more cloud services, we have to recognize that a fair amount of our critical business processes are dependent on external services that do not belong to us.

Action Item: Start examining existing portfolios to determine your dependencies on cloud-based services. An excellent way of accomplishing this is to start by examining and decomposing mission-critical business



excellent way of accomplishing this is to start by examining and decomposing mission critical business processes.

Cloud Governance

Tactical Guideline: Most business partners and service providers limit their exposure by mystifying "demarcation" lines, indemnifying themselves by suggesting doubt in the systems and controls of their consumers.

Key Issue: How can I leverage my existing technologies to govern the interactions with my cloudKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?Consumers should leverage best practices for developing and using business-driven service levels. Consider these best practices when crafting SLAs:Ensure that the organization understands the business drivers and expected goals for outsourcing when beginning any source selection (see "Defining IT Governance: The Gartner IT Governance Demand/Supply Model" G00140091).Use the business goals to identify the appropriate stakeholders. The stakeholders must define the KPIs and must contribute to the development of the SLAs.contribute to the development of the SLAs.Link KPIs to SLAs, and define service levels that represent end-to-end services, not technical metrics that represent pieces and parts of a service.Validate the resulting service levels with the business, and make refinements as necessary throughout the outsourcing provider selection and contract negotiation processes.Define how service levels will be measured and reported, and what level of accountability for performance is appropriate for the service provider to accept.Ensure that the service levels are included in the RFP so that the competitive field of providers can size the risk and price



Ensure that the service levels are included in the RFP so that the competitive field of providers can size the risk and pricethe services accordingly.Ensure that the negotiation team is well-equipped with documentation and an audit trail showing why and how the service levels were developed.

Cloud Governance

Key Issue: Which emerging and existing technologies will enable this style of service-centric multienterprise collaboration?

Key Issue: How can I leverage my existing technologies to govern the interactions with myKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?For many years, most integration middleware technologies enabled their users to connect to services using interoperable standards such as SOAP. However, in order to really get business value, an organization must incorporate policy management metadata into service interactions to establish governance. This can be done on a point-to-point basis with several cloud providers, but as with any point-to-point architecture, scalability, reuse, visibility and loose coupling become issues. These same issues are driving existing internal SOAreuse, visibility and loose coupling become issues. These same issues are driving existing internal SOA initiatives.



Cloud Governance

Decision Framework: Ensure all future SOA infrastructure purchases and deployments support mediation and virtualization. Consider infrastructure appliances that natively support virtualization and mediation as a lower cost solution to enhancing middleware for these types of deployments.

Key Issue: How can I leverage my existing technologies to govern the interactions with myKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?If you are a service consumer, ask yourself: Does this service enable me to rapidly detect, adjust and react to changes in my business? If this service doesn't meet my expectations or I find a comparable service, then can I switch to another service provider with minimal (or at least reasonable) disruption to the processes that depend on that service? Can this service be incorporated into orchestrations in such a way that it transparently becomes part of a set of business compositions? Does this service provide me with the performance levels and security that I need to ensure the service meets my expectations? (Be aware that different businesssecurity that I need to ensure the service meets my expectations? (Be aware that different business compositions will have potentially very different requirements.)If you are a service provider, ask yourself: Is my offering constructed in such a way to provide the consumers with enough information for them to make business-critical decisions? Does my offering tightly couple the user to my platform and my internal processes, physically restricting how, when and where the user can use my services? Is my offering interoperable and coarse grained or fined grained enough to allow for immediate usage? Does my offering ease interoperability with the users' or third-party services and technologies? Can I extend information about performance life cycle management and governance policy enforcement to my



extend information about performance, life cycle management and governance policy enforcement to my consumer for predictability of my offering?

Cloud Governance

Conclusion: Without a brokerage model, cloud computing will suffer from limited use of services that need to be customized.

Key Issue: How can I leverage my existing technologies to govern the interactions with myKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?In human civilization, the concept of brokerage (or intermediation) is well-established practice. In the world of IT, this is less widely spread but still commonplace. As cloud computing grows, the need for more intermediation must be met by a corresponding group of markets that establish intermediation as a critical line of business. Cloud services brokerage leverages the teachings of many different industries in using brokerage to facilitate g g g y g genhanced services, insurance protection, travel arrangements, peer references, and aggregation of services. Financial services and travel lead the way in unscientific samplings of our clients as the most prevalent industries that use brokerage to facilitate complex supplier/consumer relationships. And while utilities and retail lag behind, the reality still remains that these industries use brokerage in supply chain operations on a daily basis.



Cloud Governance

Tactical Guideline: Cloud service brokerage is and will be an interesting revenue growth opportunity in cloud computing.

Key Issue: How can I leverage my existing technologies to govern the interactions with my cloudKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?In the future, cloud computing will see more and more brokers negotiating relationships between providers of cloud services and the service consumers. In this context, a broker might be software, appliances, platforms or suites of technologies that enhance the base services available through the cloud. Enhancement will include managing access to the services, providing greater security or even creating completely new services. The purpose of these brokers will be to add value to existing services, and to deliver new services built and delivered on top of old services (see "What's Between You and the Cloud?" G00163985).We must note however that although cloud service brokers may be delivered through technology there's still a need forWe must note, however, that although cloud service brokers may be delivered through technology, there s still a need for brokerage businesses to exist to take advantage of these brokers. A brokerage is a service business, whereas a broker may simply be B2B technology. Managed service vendors and B2B gateway businesses will be very familiar with these concepts, as are service governance vendors. However, the cloud doesn't include an assumption that service providers calling themselves "brokerages" will exist (in most instances). We believe that service brokerages are one of the most necessary and attainable opportunities for cloud service providers.Definitions: A cloud service brokerage (CSB) is a model (including a set of activities) for conducting cloud service governance (CSG) and integration as a service (IaaS). A CSB is a business that conducts cloud service brokering. A cloud service broker is a piece of technology (for example software or an appliance) that's used to deliver CSG or IaaS A CSB



service broker is a piece of technology (for example, software or an appliance) that s used to deliver CSG or IaaS. A CSB brokers a relationship between a service consumer and a service provider. It's also a business that delivers brokering as a service.

Cloud Governance

Strategic Imperative: For every scenario, consumers must determine their need for trust, but providers should plan for the highest degree of trust with these exceptions: If the offering is very low cost or free and consumer expectations have been set accordingly; or if the offering is based on highly mature, commoditized technology that is deemed to be reliable and have "failsafe" and verifiable traits (such as data from public records orreliable and have "failsafe" and verifiable traits (such as data from public records or census).

Key Issue: How can I leverage my existing technologies to govern the interactions with myKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?Rather than trust being finite, meaning it stops on a continuum of policy enforcement, it is more about a sliding scale of choices and approaches. For example, using a mapping application to find directions will only require the consumer has a high trust that the information is correct. With the exception of very new roadways and structures, driving maps have come to be pretty reliable. This is an example of a consumer needing little to no assurance that the information is correct. Using a banking application via a Web browser may require aassurance that the information is correct. Using a banking application via a Web browser may require a minimum amount of security (SSL), performance management (quick response time) and validation (accurate account balance). This example maybe one of low to medium trust. A sales force that powers an international sales force, or a storage service that feeds a large online community may need a medium to large amount of trust.



Cloud Governance

Strategic Imperative: Enterprises must align penalties and incentives in service provider contracts to service levels that produce business value.

Key Issue: How can I leverage my existing technologies to govern the interactions with myKey Issue: How can I leverage my existing technologies to govern the interactions with my cloud service providers?Every agreement with a service provider (SP) must have performance requirements and service levels specified in the contract. Service-level criteria should be developed and negotiated with the SP, rather than developed solely by the enterprise and levied on the SP. When developed jointly, expectations can be set at the beginning of the relationship, resulting in fewer debates about performance issues. An enterprise must weigh the value delivered via the service level against the cost of having that service delivered. Often, the service level that is "almost perfect" is orders of magnitude more costly than the service level that is acceptable to deliver business value to the enterprise. If the SP delivers less service than is contracted, the enterprise is overpaying for the service. Conversely, when the SP delivers more service than is contracted, the enterprise is underpaying for the service. The measure of service should be tied to business value, allowing for a view of penalties and incentives as a way to compensate for reduced value and improved value, respectively. Enterprises should provide the linkage among business value, service levels, and penalty and incentive definitions.



Action Item: Penalties and incentives should be applied when the SP delivers reduced value and improved value, respectively, to the business.

Cloud Governance

Tactical Guideline: Many existing technologies, such as B2B gateways and products that address BPP and SOA backplane needs, are well on their way to providing this intermediary/interface/gateway, but SOA governance technologies will be one essential ingredient for a comprehensive solution. g p

Key Issue: What is the current vendor landscape and how will it evolve in the next 12 to 18Key Issue: What is the current vendor landscape and how will it evolve in the next 12 to 18 months?Some SOA governance technology set vendors leverage some provisioning and community management capabilities. Examples include:• Layer 7 Technologies offers SOA policy management appliances that can be deployed as gateways for virtualization and mediation. In addition, Layer 7 partners with many SOA infrastructure vendors and belongs to both governance interoperability organizations. • Software AG's CentraSite is ebXML compliant Its SOA infrastructure has policy management capabilities and• Software AG's CentraSite is ebXML compliant. Its SOA infrastructure has policy management capabilities and has a rich ecosystem of SOA governance partners, but Software AG has yet to communicate its SOA/B2B intentions.• Tibco's Active Matrix supports virtualization and B2B functionality via Business Works. Since both products will soon be deployed as one, Tibco is in the best position, from a B2B perspective, to offer SOA/B2B infrastructure. • WebLayers is integrating with the repositories of some B2B gateways associating policies with profiles.



Cloud Governance

Tactical Guideline: Establishment of a marketplace for locating and getting reviews on cloud services/providers is a key way to enter the market.

Key Issue: What is the current vendor landscape and how will it evolve in the next 12 to 18Key Issue: What is the current vendor landscape and how will it evolve in the next 12 to 18 months?Marketplaces have been established for a long time in B2B circles. However, in cloud computing, the concept is rather rare. In order to grow effectively, cloud providers will need to adopt a model similar to marketplaces that learns from B2B exchanges and trading communities. These communities share knowledge, references, pricing information, ratings and customer experiences. Multiple styles of communities will need a number of technologies that enable B2B interactions, performance enhancement and governance These include:and governance. These include:• Trading communities• Governance technologies• Information and data exchanges• Integrators and outsourcersCloud adopters will benefit from establishing relationships with traditional B2B integration companies like



Cloud adopters will benefit from establishing relationships with traditional B2B integration companies like Sterling and GXS, as well as relationships with governance gateway providers like Sonoa, or SaaSintegration vendors like Cast Iron and Boomi.

Cloud Governance



cloud governance - gartnergartner.com.br/tecnologias_empresariais/pdfs/brl37l_c5.pdf · cloud...

Documents