The software-defined data center enables incredibly agile management of a multitude of cloud resources (e.g., servers, networks, storage) by enabling programmatic control of those resources. Once the basic infrastructure is in place to automatically reconfigure the cloud resources via software, the problem remains to build the management tools that automatically perform that reconfiguration if and when it becomes necessary. That software must learn about events that occur in the cloud, understand how those events impact the cloud's behavior, and take action when the behavior of the cloud falls out of line with the cloud owner's desires.
Cloud owners have a plethora of reasons to want a cloud to behave in a certain way. Sources of restrictions for the behavior of the cloud include organizational policies dictating how IT resources are to be deployed, industrial standards that determine how all organizations in a certain sector (e.g. finance or healthcare) are required to manage their IT resources, contracts an organization makes with other organizations or with individuals about cloud infrastructure allocation and content management, and governmental regulations dictating basic procedures to be obeyed. These different restrictions impose different “policies” that the cloud must obey. When a cloud violates its policy, there are various potential costs (e.g., monetary, legal, fiduciary, etc.). Enforcing policy and managing policy violations are crucial tasks for bringing the software-defined datacenter to maturity.
Automated policy-based management of the cloud has several challenges. First, many real-world policies are written in high-level terms (e.g., users, applications, data), instead of the resources that actually exist in a cloud (e.g., compute, networking, storage). Second, numerous different types of resources must be managed. A single policy might depend on organization charts stored in relational databases, configurations for networking boxes from different vendors, packages installed on different compute servers, data stored in an inventory management system, and user information stored in Active Directory. Third, depending on the policy and the cloud resources available, perfect policy enforcement (preventing violations before they occur) may be impossible.
There are many existing and proposed attempts at policy-based management for the cloud. Some of these are piecemeal solutions, focused on compute, networking, or storage in isolation. Such approaches fall short because real-world policies often span the typical infrastructure silos and require integrating information and action from compute, networking, storage, and other cloud services. While some higher-level management approaches span the traditional silos for both expressing and enforcing policies, these generally are not as robust in their preventing of policy violations as is optimal.