By Fred Spalanzani, VP, IT Enterprise Architecture & Strategy at NetApp
Don’t panic. By governance I am not talking about bureaucratic processes, proclamations, or rules. It is about creating a structured process and roadmap for evaluating and making smart decisions on how your IT organization will manage its new role as a service provider and broker. When running a hybrid IT architecture, some workloads stay on-premises (private) while others run in the external (public) cloud. The management and integration becomes a mixed bag where workloads can be migrated back and forth as shown in Figure 1.
To maximize our investment, benefits, and the agility of cloud computing, the NetApp IT organization designed a cloud governance approach that balances agility, vigilance, control, and risk.
Cloud Decision Framework
We began our governance approach by working with our business leaders to designate which critical business workloads and centralized applications needed to remain on-premises in the company’s internal data centers. Together we walked through our applications service catalogue and marked which candidates were a fit (or not) for the cloud. By going through this exercise, our business stakeholders understood the platform options, key characteristics, and associated risks of the cloud. The risks associated with cloud computing are periodically assessed, tracked, and mitigated in line with the business strategy and overall risk appetite of the company.
You will find our Cloud Decision Framework used by NetApp IT here. This framework contains advice on finding a trusted cloud service provider (CSP) based on risk assessment, architecture requirements, business cost, and ROI.
Security and Risk
Security and risk management are crucial for sourcing a CSP. Our trusted cloud provider approach took artifacts produced by the Cloud Security Alliance and added others risk possibilities specific to our enterprise. We spent time understanding how this shared partnership would work, in particular what IT controls remained with us and what the CSP controls would be expected to do. This is shown in Figure 2.
We then looked across the enterprise stack at architectural patterns, security, data escrow, data privacy, and other issues to put the right policies and controls in place. We feel enterprise IT organizations should negotiate terms and conditions that reduce risks and liability for items such as data loss, service loss, service price, and compliance breaches that result in legal action or business loss as part of the managed service agreement (MSA).
The legal, compliance, and security teams should have a solid understanding of the cloud, the various controls needed, and all of the nuances to make good decisions that mitigate risk. We found that a lot of education was needed to get past the security and risk fears around the cloud. I suggest you start by getting the information security and legal teams comfortable, then mature the whole team in time to move to a more optimized, brokered risk model.
When considering the financial aspects of governance, metering and chargeback become crucial. This requires a top-down approach. NetApp is starting with a showback model and plans to mature to a chargeback model. Frankly, this approach takes patience along with a lot of changes to our financial and billing systems which are still in traditional mode. Our plans are to adopt the established model in the private (internal data center) cloud to better optimize capital to operating expenses. As capacity is limitless in the external cloud, making sure the right quota-based entitlement policies are in place is important.
Governance and Lifecycles
Governance policies need to make sure the right workloads are being provisioned and lifecycles are managed. We created the checklist (shown in Figure 3) that applied our standards, operational processes, and best practices when onboarding workloads. In the case of our hybrid model, we made sure architectural and API compatibility were considered and the northbound APIs were rich for our developers to consume.
For next-generation network application development, be sure to look at the principles of elasticity, fault-tolerance, and stateless to name a few. Also, don’t forget periodic audits are needed to make sure that the CSPs are maintaining their service-level agreements (SLAs) and commitments.
Driving cloud governance and policies are important, but make sure that the policies are acted upon as cloud adoption increases. Making sure that there are periodic audits across the lifecycle is very important and enables us to improve how we do things.
NetApp IT is defining governance and principles slowly. Our maturation is happening steadily over a period of 12+ months and includes an eco-system of traditional deployments, SaaS applications, public cloud IaaS, and private cloud resources. Our governance considerations look at strategic business value, the need for flexibility, the value of the underlying data, workload business criticality, performance, security, compliance, and the integration with other workloads.
The NetApp-on-NetApp blog series features advice from subject matter experts from NetApp IT who share their real-world experiences using NetApp’s industry-leading storage solutions to support business goals. Want to view learn more about the program? Visit www.NetAppIT.com.