This article is part of a special report on how cloud computing is changing IT.
Stuart Radnidge had high hopes for the private cloud. The infrastructure architect for a large multinational financial services firm in the U.K. said he believed adding cloud computing technologies, like self-service provisioning, automated virtual machine creation and chargeback, on top of virtualized infrastructure, would bring terrific time and cost savings to IT and the business users it served.
Radnidge was trying to eliminate the sort of unnecessary bureaucratic logjams that often stifle IT and end-user projects that are designed to promote efficiency.
Things didn’t turn out like he had hoped. Despite a successful pilot and acceptance by end users across the company, the private cloud project flopped, killed by unwillingness outside of IT to budge on governance and change control.
“What we ended up with is not something I consider a cloud,” said Radnidge, who is also a virtualization blogger.
While the company still has an automation framework that predates virtualization, there is no self-service provisioning in place, nor is there chargeback. And time-consuming, bureaucratic processes are still alive and well.
For example, even though the company has virtualized the vast majority of its server operations, it still takes weeks before a new workload can be brought online. “When a person wants to provision a new app, they have to submit it to an internal infrastructure review board, which makes sure they’re not ordering some weird piece of hardware like IBM or Oracle [the bank is standardized on HP],” Radnidge said. Review boards also make sure the workloads are sized and configured properly.
But time-consuming processes don’t make sense when you’re talking about virtual machines, Radnidge said. The simple act of requesting an application on a VM removes the hardware-sizing element from the equation, and as far as application configuration and sizing, “the app owners are the app owners -- they know their requirements.”
The private cloud project started in June 2009. Six months later the pilot went live, “and it was all downhill from there.”
Shadows of doubt
This sad tale of hardened IT bureaucracy holding fast and by doing so, derailing a private cloud project, doesn’t surprise other IT managers one bit.
“What really cramps the agility of IT isn’t the lack of technology or tools. It’s the red-tape by committee,” said Rick Vanover, IT infrastructure manager for a financial services organization in Columbus, Ohio.
Working under regulatory compliance guidelines from organizations like the Payment Card Industry (PCI) and the Office of the Comptroller of the Currency (OCC), Vanover said cloud computing concepts such as self-service provisioning are simply non-starters in his organization.
“Am I going to let my users self-service provision a SharePoint site? No. What’s next? SQL Server databases?” Vanover asked rhetorically. In order to be compliant, IT must be able to prove beyond a shadow of a doubt where the data physically resides, how it’s protected and whether it’s classified correctly. Many IT professionals feel that giving end users that level of responsibility is asking for trouble.
Cloud and ITIL don’t mix
Organizations that use change control frameworks like ITIL and Six Sigma can be especially resistant to cloud computing concepts like self-service provisioning and role-based access control.
A lot of companies would love to do cloud, but there are still a lot of 'thou shalt not' attitudes out there.
Jonathan Eunice, principal IT advisor, Illuminata
“Self-service provisioning is almost inimical to ITIL,” said Jonathan Eunice, principal IT advisor for Illuminata in Nashua, N.H. “Self-service provisioning is to let you make a change whenever you want to. ITIL is so that you can’t make a change whenever you want to.”
That was the case at Radnidge’s firm, where “ITIL puts more things in the way than it helps,” he said. And to ITIL proponents who point to the stability of their environment, Radnidge says they are guilty of circular logic.
“It’s like me saying this beanie on my head is a tiger repellant, because as long as I’ve been wearing it I haven’t seen any tigers,” Radnidge quipped.
Control and governance fears are even more acute surrounding the public cloud, said Andy Morris, director of product marketing at LogLogic, a logging software company that offers its wares through cloud providers as a value-added service. On the one hand, IT managers recognize that by putting part of their infrastructure in the cloud, “someone else can fight their fires.” But at the same time, “they’re scared they will lose visibility and control...The techie person is a control freak, and [with cloud] they’re suddenly passing control to somebody else,” he said.
Governance -- cloud’s silver lining?
Cloud providers acknowledge that compliance and governance concerns are a hindrance to adoption, but ironically, some say that their customers actually report improved governance and control when they move to the cloud.
IT infrastructure provider Terremark Worldwide counts several government agencies among its customers that operate under the National Institute of Standards Technology’s (NIST) stringent Federal Information Security Management Act (FISMA), said Marvin Wheeler, CTO. Initially, those customers came to cloud computing for cost reasons, he said, but stayed for the improved governance.
“Because they’re funneling everybody through a single self-service provisioning console, they’re getting a more crystallized view of what’s happening than in a non-cloud environment,” Wheeler said. “They’re finding that it’s easier to control things in a cloud environment because there’s less paperwork, loose ends and things you have to manage.”
Further, self-service consoles can be programmatically configured with built-in policies that dictate up-front who, what, where and when things can be done in the cloud, Wheeler added. “It really has the same power as the stroke of a pen on a purchase order,” he said.
Indeed, implementing policy-based constraints around self-service provisioning and access control is one sure-fire way to help the cloud pill go down easier, said Illuminata’s Eunice.
Policy-based controls are the hallmark of any number of cloud management and provisioning consoles, including VMware vCloud Director, DynamicOps Virtual Resource Manager, Abiquo, and Nimbula, to name a few. Traditional compliance frameworks like RSA Archer eGRC are also getting in on the act. In addition, numerous virtualization management suites allow IT managers to dole out role-based access control to application owners so they can manage their application without gaining access to the underlying cloud infrastructure.
Tools such as these adhere to the principle of least privilege, said Eunice, a common idea in security circles. However, a common complaint about policy-based management tools is that policies are too rudimentary.
“Where a lot of policy-based systems fall down is that they can often only affect a couple of different attributes -- usually technology-based -- and then at a very low level,” Eunice said. The ultimate goal is to “loosen up, and not have everything have to go through the central committee,” but as it stands, most policy-based systems just don’t have “the semantic richness” that they need.
But, as with many sea changes in technology, the writing is on the wall. IT professionals and end users are hungry for greater efficiency and freedom from excessive controls enabled by cloud computing technologies. It’s no longer a question of if, but when they will take hold. “A lot of companies would love to do cloud, but there are still a lot of ‘thou shalt not’ attitudes out there,” Eunice said. “The macro trend is the consumerization of IT, but it takes a long time for attitudes to change.”