Enterprise Cloud Governance: Policies and Metamodels

By Dave Roberts on August 2nd, 2011 at 11:53 am EDT

Posted In: Uncategorized

James Urquhart wrote a good piece for CNET yesterday, titled Regulation, Automation, and Cloud Computing. In it, James comments on a blog by Chris Hoff discussing some of the downsides to automation. Originally, Chris had pointed out that heavily automated environments don’t leave a lot of room for human intervention when things go wrong and rapid automatic response can actually lead to cascading failure when the world fails in a way that was not expected by the automation creator. James then made the point that automation also interacts with the legal and regulatory spheres. James says:

If we are changing the very configuration of our applications–including location, vendors supplying service, even security technologies applied to our requirements–how the heck are we going to assure that we don’t start breaking laws or running afoul of our compliance agreements?

 

It wouldn’t be such a big deal if we could just build the law and compliance regulations into our automated environment, but I want you to stop and think about that for a second. Not only do laws and regulations change on an almost daily basis (though any given law or regulation might change occasionally), but there are so many of them that it is difficult to know which rules to apply to which systems for any given action.

 

In fact, I long ago figured out that we will never codify into automation the laws required to keep IT systems legal and compliant. Not all of them, anyway. This is precisely because humanity has built a huge (and highly paid) professional class to test and stretch the boundaries of those same rules every day: the legal profession.

Chris is right.

James is right insofar as he identifies the problem and then says that it’s impossible to codify every single law and regulation into the automation system.

But, while we can’t codify everything, that also isn’t an argument to avoid codifyinganything.

The basic problem is that with cloud, we’re no longer building control systems strictly for IT operations personnel. I believe that the whole BIG IDEA with clouds is that we can decentralize and democratize the control systems that drive IT resources. Right now, the IT department controls all IT systems. You want something done? You talk to IT. If and when IT can get around to it, you might get what you want. And ultimately, that’s a slow, inefficient way to run a railroad. There are many ideas that business units have that simply can’t be executed on because the amount of time and energy spent trying to get IT to deliver the right resources is too high. But with that slow inefficiency also comes a control point such that we can enforce enterprise governance requirements. Today, there are enough human review and approval processes in place to put the brakes on most ill-conceived ideas that would violate laws or regulations.

With cloud, however, we have the opportunity to make IT completely self-service. And that’s wonderful for creating increased business value because it means that business units no longer have to beg and plead with the IT department to execute on projects that are important to the business. Rather, the business can make use of self-service resources to do whatever they need. By cutting out the IT middleman from the daily requests, the speed of the solution delivery lifecycle (SDLC) increases, and, if the business is doing its job, so does business value creation.

The challenge with the self-service model is not technical. We can build all the automated systems to execute a self-service model fairly easily, and there are many examples. The big problem with self-service is governance.

If you’re running a large, multinational financial institution of the kind that ServiceMesh deals with every day, is it reasonable to expect every business-unit developer or mid-level manager in the USA to understand all the laws governing financial information in Germany or Hong Kong? Do users and developers in London understand the laws and regulations in Tokyo? The answer is most assuredly not. But with a single click, we could move a workload or dataset across the planet, violating the laws of multiple jurisdictions at the same time.

So, James says that it’s unreasonable to expect to codify the legal system into our automation systems. But it’s equally as unreasonable to expect non-lawyers (and frankly even lawyers) to understand the legal and regulatory posture of a company across all its geographies. So, what can we do?

Do we really have to achieve 100% fidelity between automated infrastructure and a constantly changing legal structure. And if we can’t, does that mean that any attempt at control is inevitably fruitless and should not even be attempted?

I don’t believe so. The ServiceMesh Agility Platform was constructed with a very richpolicy management system that goes far beyond simple user-based or role-based access control to individual resources. The Agility Platform policy management system was created to allow layering of possibly multiple conflicting policies, created by a diverse group of governance people. The policies are sorted out, prioritized, and the right things happen. The policy management system operates on a customizable meta-model which allows every high-level object type within the Agility Platform (applications, stacks, scripts, clouds, etc.) to be tagged with attributes that can then be inspected as part of policy decisions.

Thus, we can create policies as rich as something like, “Bob is allowed to deploy workload X into Cloud Y. But because X requires SSAE 16 (the follow-on to SAS 70), X can only be deployed into datacenter Z, which has SSAE 16 certification. And all network traffic to and from the workload must be encrypted. And all storage must be encrypted. And only into the non-production environment. And only on Tuesday.” And even more complex than that. Or a lot simpler than that. If you want, you can just specify that Bob is only allowed to deploy things in Cloud A and be done with it.

In short, almost anything can be expressed in the Agility Platform policy system — it’s that rich. And that’s critically important when, as James says, you’re trying to track the whims of lawyers across the world.

It’s another matter keeping all those policies up to date, however. James points out that the laws are constantly changing. That’s one reason it would be foolish to hard-code them into the automation system itself, whether that’s a standard management system, a low-level run-book automation oriented orchestration package, or a Perl script. With the Agility Platform, we made policies stackable and easily editable by mere mortals (AKA governance and compliance personnel) with a WYSIWYG graphical editor, rather than relying on coders. This means that the job of creating and maintaining policies can be delegated and distributed to those people who are in the best position to implement them. Policies are then checked at the appropriate times by the platform, automatically.

Is this a perfect solution? No. James is right in that the problem is hard and I can’t conceive of a 100% solution. We still rely on humans to codify laws and regulations and those must be kept up to date and applied correctly. But we’re not creating a brittle, completely unmaintainable system where the policies are “baked into” our scripting. We have a system where policies are stacked and interact correctly. In short, it’s built to scale and about as clean of a system that I can imagine.

Focus on Architecture First Before Moving to the Cloud

“The point of enterprise architecture is to look beyond the silos and create a blueprint for the business’ big-picture strategy.” Read more.

These guys are cool in the cloud

These guys are cool in the cloud

I just published a blog from the web site talking about a speaking op they gave at Cloud Expo NYC. Other Meshians might find it interesting, particularly if you have customer-facing roles. The blog links to the Cloud Expo presentation which was video taped.

Blog: http://www.servicemesh.com/posts/searching-for-the-big-win/
External link to the video: http://downloads.sys-con.com/download/wc_cc11e_servicemesh

SAP Upgrade Assessment' service for a flat charge

We can offer 'SAP Upgrade Assessment' service for a flat charge of $9000 US We can also tier the pricing, based on number of custom objects that you the customer would have (<5000 custom objects; 5k to 10k; 10 to 20k; > 20k custom objects etc.) The job can be performed remotely.

Here are our details...

Execution Model:
- you the customer should bring up a sandbox ECC 6.0 system loaded with the old objects
- We will deploy the assessment tool (Impact Analyzer) in this system remotely
- Run the Impact Analyzer tool
- Following are the deliverable's:
O Inventory list of custom objects
O Details of Source objects affected by Upgrade
- by Type (Reports, Function Modules, etc.)
- by Level of impact (High impact, Medium impact, Low impact)
- by category (Syntax Errors, Unicode Errors, Obsolete statements, Obsolete Function Modules used, BDC issues, Warning & Informational Extended checks)
O Effort estimation for Code Adjustment (to help on overall Project Plan)

We would like to connect with you and your team to discuss about our SAP Upgrade offerings. and how we can effect proper change in your upgrade.

Thank you
Christopher Carter VSP, CCSP
CEO/CTO
HiLn
12745 Townsend Rd,
Brookfield, WI 53005
Phone: 262.439.8391
Cell: 414.614.1394
Fax: 262.439.8729
PF: 414.892.5773
CMC@hiln-solutions.com
www.hiln-solutions.com
twitter.com/ccarter1969
http://virtualizationofsap.blogspot.com/
http://strait-talk.blogspot.com/

Moving SAP From The Data Center To The Cloud Gets Automated

http://www.crn.com/software/223100873

By Andrew R Hickey, ChannelWeb

2:55 PM EST Fri. Feb. 26, 2010

SAP (NYSE:SAP) is complex, there's no question about that. And moving SAP and other applications from development and evaluation into production environments and between physical, virtual and cloud environments is no easy feat, not to mention it's time consuming and costly. Cloud vendor AppZero is looking to ease SAP deployments and give VARs the ability to boost the speed of SAP installations while also reducing the costs. The vendor also aims to cut time and costs when dealing with SAP can give VARs an edge.
AppZero has just released AppZero for SAP, a solution that can chop the time it takes to deploy and install SAP applications and suites down from days to about 10 minutes across physical and virtual servers and to cloud environments like Amazon EC2.
Essentially, AppZero for SAP gives VARs, integrators and software vendors the ability to install SAP apps -- from SAP All-in-One to full ECC -- into an AppZero Virtual Application Appliance (VAA). VAAs decouple an application from the operating system and encapsulate it with all of its dependencies. Once a VAA is created, it becomes a gold image or single point of management that can be moved from system to system, stored anywhere and deployed among servers either physical or virtual and on-premise or in the cloud, said Greg O'Connor, AppZero CEO.
"You can pick up applications and move them from the data center to the cloud as one file," O'Connor said, adding that AppZero "encapsulates applications, in this case SAP" and that the process takes roughly 10 minutes.
The ability to automate application release management and to quickly move applications, like SAP, through the various stages like development, quality assurance, testing and production, adds a new level of mobility. Applications can be quickly moved from the data center to the cloud and vice versa, O'Connor said.
"They can run an application wherever they need to," he said, adding that moving applications from the data center to the cloud is difficult and usually requires a full reinstall.
And for solution providers, swiftly moving SAP and other applications is a solid differentiator. Christopher Carter, CTO of HiLn, a Brookfield, Wis.-based solution provider, said as more of his clients look to upgrade SAP or move SAP to non-production environments like a staging area or sandbox, they're looking for easier ways to move between the data center and the cloud.
"Compared to the competition in the market, if you can take a standard SAP environment and encapsulate it we can go out to clients and say, 'in 10 minutes you can have a server running in one of our clouds.'"
Carter said SAP applications and deployment stacks are complex and must be tested under real world load conditions to assess how it will perform in production. AppZero enables a process that ensures systems are tested for the cloud.
HiLn's Silver Lining Cloud Solution lets users start, stop, reuse, throw away and start new SAP clouds in minutes. A full SAP ECC 6.0 ERP suite can be provisioned, cloned and moved to a pay-as-you-go cloud environment.
Carter said reducing SAP updates and moves from up to 30 days to 10 minutes without the setup of hardware can ultimately save customers tens of thousands of dollars and saves them from having to stop production systems.
"That's tens to hundreds of thousands in savings during an upgrade or installation, it's amazing," he said.
So far, HiLn has engaged several organizations about AppZero for SAP and has built a specific SAP-centric cloud as part of its two-month-old Silver Lining Cloud Solution.
While it's still in beta, AppZero for SAP is expected to be available for general availability in four to six weeks. Meanwhile, Andover, Mass.-based AppZero is working with just over a dozen partners.
"This focuses on a very niche component of the SAP landscape," Carter said. "Firms are looking to take non-production-based environments to the cloud."
O'Connor agreed.
"It can take months to create a copy of SAP for training or a sandbox for prep; any non-production use case," he said. "Now they can be set up quickly on premise or in the cloud."

SAP Training Cloud Pricing

SAP Training Cloud Pricing

HiLn has created the “Silver Lining” cloud solution specifically to meet your needs!

The Silver Lining from HiLn is a pre-configured training cloud with a SAP client pre-installed.  This cost effective solution is readily accessible for your SAP training environment needs, and eliminates the added hassles of SW, HW and ongoing maintenance issues for yourself and your internal IT resources.

Here are the Silver Lining packages available –
3 months                     $150
6 months                     $250
12 months                   $365

The packages include login access for one person for the timeframe listed, and are accessible 24x7x365 from anywhere in the world. For as little as $1.00 per day you can continue developing your skills in your own private SAP training cloud.

Contact us directly at  262.439.8391 or via email at
silverlining@hiln-solutions.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it to discuss how you can get your Silver Lining SAP cloud today!

SAP Training System for $1.00 per day

Now an installation thats another issue you would need another piece of HW to run it on and do an install, maintain it as a part of your landscape do refreshes etc. Oh and then your BASIS team would need to maintain and run it.....Fun, fun for those guy's, or if your a solo consultant without a corp. prd. SAP environment. OR you can go to the Silver Lining!

The Silver Lining from HiLn is a pre-configured training cloud ready to run with a SAP client pre-installed. All you need to do is decide what you want and in 30 minutes you get your own SAP training solution to use as you see fit.
Best part is your internal team does not need to install the SW, maintain it, monitor it, refresh or worry about it because it is in our cloud.

you can train 24x7x365 from anywhere in the world. No muss no fuss for $1.00 a day you can be training....reach us directly at (262)439-8391 to discuss how you can get your Silver Lining SAP cloud today!