How to avoid chaos in the cloud

Enthusiastic adoption of cloud services leaves IT with a governance headache. Okta is one of a new breed of vendors aiming to help get on top of the problem.
Written by Phil Wainewright, Contributor

Several years back, I joked that widespread enterprise adoption of cloud services would surely result in Gartner producing "a damning report on the unrecognized TCO of on-demand services," just as it once did for personal computing many years ago at the height of the PC boom. With any popular new technology, corporate adoption tends to run ahead of governance, and the result is an unplanned and unmanageable stew that introduces unexpected costs and headaches alongside the anticipated benefits.

For now, Gartner is aiming elsewhere, channeling dissatisfaction with the established enterprise software vendors. That's interesting in itself, as Gartner's advice is finely tuned to remain just a small step ahead of its clients' thinking, and so presages a tough few years for SAP, Oracle, IBM and Microsoft.

Meanwhile, the problem I predicted is well and truly here already, even if Gartner hasn't drawn attention to it yet. I wrote about it back in August:

"Very few enterprises that are adopting cloud applications and infrastructure are giving enough thought to governance. The result is a mish-mash of SaaS silos and cloud islands, with very little attention paid to data consistency and integration, and even less to policy management and oversight. This is bad enough in organisations that run all their operations in the cloud, but most enterprises are not in that happy space. The vast majority have to manage a hybrid infrastructure ..."

One vendor that's emerged to help enterprises get on top of what has been called a Franken-SOA of cloud services is Okta, which has some substantial VC backing. Led by Todd McKinnon, a former VP of products and platforms at Salesforce.com, Okta provides a cloud-based identity store that's designed to connect into Active Directory or LDAP infrastructure so that an enterprise can extend its existing user provisioning and access policies to cloud services. "The big gap we see is that this generation of technology needs a system and a platform to manage and secure it," he told me last week.

McKinnon said that enterprises have been blind-sided by adoption of cloud services and their lack of readiness is opening up vulnerabilities. "It's very clear to me that the state of the art in security and how we manage these things today is like the consumer web in 1995," he said. "There's no strong authentication ... They don't have consistent security policies across all the services they use. Companies don't have good processes to ensure accounts are turned off ... This is critical IT infrastructure and this needs to be managed like we know how to manage IT assets."

These are early days in the cloud governance game, so organisations that want to get on top of their mish-mash of cloud services today are going to have to use a mish-mash of solutions. Okta has started out focusing on single sign-on and authentication. "In the future, our vision is to provide complete visibility into performance and availability and SLA conformance," says McKinnon, but for now anyone wanting to add those capabilities must go elsewhere. That may mean utilizing on-premise SOA monitoring and governance solutions, or even building a complete custom solution on recently-funded cloud management platform Servicemesh. Those alternatives look pricey compared to Okta, which, true to its Salesforce.com roots, is targeting more of a midmarket customer profile.

Of course many readers may well feel that the best way to avoid these problems is to steer clear of cloud services altogether, but I suspect that's a rather short-sighted view. Enterprises are going to be adopting cloud services whether the IT team likes it or not, and the priority should be developing a governance and connection strategy to manage it all. I'm interested in hearing about other vendors with offerings in this space — please post a Talkback comment if you know of any or have deployed such solutions.

Editorial standards