The Elusive Butterfly of Policy

I love it when visionaries bridge the gaps in their utopian depictions of The Future of IT with hand-waving explanations.  As a supposed said visionary, I plead guilty.  My most recent transgression: presenting the concept of “policy” in the context of data centers, workloads, etc., as if it were well understood and its supporting technologies mature enough for market adoption.

In spinning our tales of how great life will be when we finally complete this transformation rather appropriately (due to the ambiguities involved) labeled “cloud,” we realize we can’t tell a convincing story without the Policy character.  He’s like the Sherriff in the Wild West – without him enforcing The Law, it’s just too dangerous a place for normal, everyday people.

Why do I believe policy is a gating factor for accelerating cloud adoption?

Although it is the favorite analogy of cloud evangelists, electric service is not the same as compute-as-a-service.  Unlike the power company, which sends indistinguishable electrons into your home or business and eventually into the ground, cloud computing services require that data and intents to act upon it move across that boundary.  And data is quite distinguishable, valuable, even dangerous in the wrong hands.

And that’s why policy is not simply “important” – it is essential to the success of cloud computing. Data and data access must be managed in a controlled manner, and cloud consumers will need guarantees to that effect.  Policy is the mechanism by which the degree and type of control is specified.  Policy enforcement ensures those controls are observed.

Easy. (Did you feel the rush of air on your cheek?)  Seriously, although much progress has been made to begin to express and implement policies in IT systems, it is a largely manual error-prone process.  Still, some technologies are beginning to emerge that give us a bit of hope we can really solve the problem.

But that’s only the first chapter of a longer story in which the right kinds of policies must be crafted in order to meet the intended objectives.  That’s the poster child use case for policy – compliance.  In future posts I’ll discuss how policy and automation are mutually dependent, and how together they will help us achieve policy enforcement and compliance objectives in tomorrow’s virtual data centers.

This entry was posted in Cloud Computing Technology Insights. Bookmark the permalink.

2 Responses to The Elusive Butterfly of Policy

  1. Jack Jones says:

    Craig, just read one of your blog postings. Dude, you are smart. I pretty much understand what you said, so I am feeling a real self esteem lift. I am finally doing another Christmas letter (did I hear you gasp for joy?). Where can I mail yours?

  2. Stan Barnett says:

    Under a traditional outsourcing, a customer may outsource a process to a vendor but the obligation of compliance concerning that process remains with the customer. In exactly the same way, when a European company signs up to a cloud service, although the cloud vendor is handling the company’s data, it is the company that retains responsibility for how the cloud vendor does so. The key issue to appreciate is the treatment of data in the cloud. In many ways, cloud computing is already regulated, at least insofar as data is concerned.