How to adapt traditional governance and security standards to your organization’s virtualization and cloud architectures
By now, the benefits of cloud computing and its data center cousin—virtualized computing—are well known. Almost without exception, our customers are moving business-critical applications to the cloud or developing private and hybrid clouds through platform virtualization and software-defined networking. These new architectures provide technical advantages like speed-to-implementation, architectural flexibility and the elimination of error-prone manual processes. Moving away from legacy architectures also brings financial advantages, including long-term savings in both OpEx (through simplification and automation) and CapEx (by eliminating data center infrastructure or through network virtualization). However, as with most technologies, the very benefits of these innovations spawn unintended consequences. One of the more critical concerns in this case is the elimination of natural governance checkpoints.
In the pre-cloud and virtualization era, the implementation of a new system had several physical process controls that provided management the opportunity to ensure strategic alignment and architectural compliance. For example, financial controls based on spending authority forced approval for most capital purchases to senior managers, ensuring that the purchases entered the appropriate governance processes. Similarly, the physical installation of a new server and associated networking equipment in the data center would require approvals by one or more architectural standards committees. Cloud and virtualized architectures, however, enable the instant installation of a new cloud instance or virtual machine by anyone with (often) relatively low levels of system authorization. The initial and incremental costs of new cloud instances and virtual systems are so comparatively small that they can go unnoticed. So even though the problem of unauthorized and rogue systems has always been with us, many of the controls we’ve depended on to limit them have disappeared. Security risks, compliance complications and legal issues can rear their heads in new ways with the loss of these legacy governance controls.
Without appropriate cloud and virtualization governance, many of the benefits of these architectures are diminished. Security risks increase due to the lack of control and unintended proliferation and sprawl. Costs, which are prime drivers of these technologies, can rise and weaken the real-life business case for them.
In addition to increasing operating costs, ungoverned virtualized computing can also increase switching costs. Where there have always been switching costs when deciding to change vendors, the switching costs for cloud are especially high and lead to vendor lock-in. A lack of cloud-specific governance increases potential switching costs even more. Finally, without the appropriate controls and/or incentives instantiated in governance policies and procedures, the desired levels of utilization are unlikely to be attained.
New governance structures and controls are required for this new era of flexibility and speed. Traditional governance and security standards like NIST 800-53 and ISO 2700[0-2] need to be adapted and tailored for each company’s mix of virtualization and private, hybrid and public cloud architectures.
Adapting to a world where there are far fewer physical controls can be challenging. But in this new era of speed and flexibility, traditional governance principles should still be adhered to, but the specific controls become, by necessity, more programmatic and procedural than physical. A few basic steps can help ensure the safe and effective adoption of virtualized and cloud computing:
- Start with business drivers. Governance should be constructed to enable business goals.
- Involve business owners. Business owner should be involved in the development of the governance framework. Without skin in the game, they may view governance procedures as impediments to the business.
- Integrate cloud and virtualized computing into the IT Service Catalog. This provides an enterprise context for the services they provide and an engagement model for consuming them.
- Make governance a requirement. Include governance and control provisions in the requirement sets for virtualization and cloud products. In addition to requiring new products include the ability to set up controls and provide visibility, it should also be possible to integrate them into existing security and GRC platforms to provide both oversite and assurance.
- Update policies and procedures to include cloud and virtualized computing. Not only do new, technology-specific policies and procedures need to be developed, but existing policies (e.g., access management, application development, logging and monitoring) must be upgraded to include provisions for the specific challenges presented by cloud and virtualized systems
By proactively planning for governance under conditions of innovation, organizations are able to realize the value of virtual and cloud computing while minimizing the increasingly hidden risks lurking behind the benefits.