extending soa to public clouds through federated soa

Proprietary and Confidential

© 2004-2010 Crosscheck Networks

1

"Requirements

for Extending

Enterprise SOA to Public Clouds



2

• Understanding Clouds

• Migration Risks and Costs

• Federated SOA: A Pre-requisite for Migration

• Best Practices: Extending Federated SOA to Cloud Computing

• Questions/Comments

Agenda



3

• My Favorite Definition:– "..the market seems to have come to the conclusion that cloud computing has a

lot in common with obscenity-- you may not be able to to define it, but you'll know it when you see it." James Urquhart

• Definition (NIST): – On demand Self Service– Resource Pooling– Rapid Elasticity– Measured Service– Broad Network Access

Understanding Cloud Computing



4

• Software as a Service (SaaS)– Provides a fully functional application and potentially an API– Salesforce.com, Netsuite, Gmail, etc.

• Platform as a Service (PaaS)– runtime environment for the application and an integrated application stack– MS Azure, Google App Engine

• Infrastructure as a Service (IaaS)– set of virtualized components that can be used to construct and run an application– Amazon EC2, Rackspace, GoGrid

Understanding Cloud Computing



5

• IaaS Vendors with APIs1. Amazon EC22. GoGrid3. OpSource4. Rackspace5. Flexiscale

Cloud Vendors – IaaS



6

• What applications or its components should be migrated to the cloud?

• What should be the order/priority of migration?

• Which IaaS cloud provider should be selected based on application performance and reliability requirements?

• How do I mitigate enterprise-to-cloud migration risk?

Core Migration Questions



7

Typical Enterprise-to-Cloud Migration Process

• Select Business Application, Services or Components– Re-use– High scaling demands – current scaling model not sustainable– Quick spin-up times

• Select IaaS provider– Register– Get Identity Key– Select Server Class

• Install/Activate Components– Build full reference system with test data in the cloud– Database, ESB, Application Server, CMS, Identity store

• Test Enterprise-to-Cloud Interaction to evaluate:– Security, Reliability– Communication Protocols: Transactions + Management– Class of Servers provided by IaaS vendor– Memory, CPU, Storage characteristics is a multi-tenant environment– Performance characteristics of Cloud infrastructure at various times



8

Enterprise-to-Cloud Migration Risks and Costs

• Risks– Security and Reliability– Added latency of Enterprise-to-Cloud Network hops– Timeouts, message delivery errors– Performance variability of multi-tenant environments

• Costs– IaaS provider costs are minimal but vary: $0.08/hr to $2.40/hr– Installation/bundling/imaging costs– Establishing Enterprise-to-Cloud communication (Cloud Gateway, ESB,

Application Server, Load balancer, Firewall)– Hand coding “what-if” scenarios for:

Timeouts message delivery errors security profiles

– Evaluate Multiple IaaS providers Different Token Types Different Management APIs Different Sever Classes and cost structure



9

Alternative Migration Strategy: Cloud Simulation

• Cloud Simulation and Migration Modeling– Instead of building a fully-functional reference architecture across multiple cloud

providers– Simulate prior to implementation – reduce risk, don’t touch production code

• Expenses that can be eliminated/reduced through simulation and modeling– A full-scale, redundant architecture that involves hardware acquisition and

software licensing costs– Hiring dedicated development teams to perform testing and benchmarking– Custom hand-coding “what if” scenarios to determine error conditions related to

latency, performance, scalability and security

• Quantifiable information necessary for understanding Enterprise-to-IaaS– Performance metrics– Geographic latency and service initiation/“spin-up” times– Failures, outages and application error states– Security, capacity and interoperability



10

Cost-Risk Trade-offs

• Enterprise-to-Cloud migration simulation may reveal key trade-offs between cost and risk factors

• Costs– Server Class:

– server class required within a cloud provider to maintain the required application performance thresholds may be cost prohibitive.

– Top-end : entry-level = 30:1

– Multiple Cloud Providers: redundancy and failover– Varying Cost Structure

– Other cost factors– costs of securing, managing and monitoring enterprise-to-cloud interaction– the actual cost of migration.



11

Cost-Risk Trade-offs: Sample IaaS provider costs



12

Cost-Risk Trade-offs

• Risks– Change in Topology by adding “Cloud Node.”

– Performance variability, especially significant in shared, multi-tenant environment

– Cloud Reliability – Outages require redundancy across providers

– Security – New processes have to be instituted– Secure Enterprise-to-Cloud communication– Data is encrypted in shared environment– Clean up once instances are terminated.

• Possible Trade-off Results– Application suited for a private cloud with only capacity off-loaded to cloud

temporarily.

– Latency added by Cloud node may be unacceptable. Candidates may be asynchronous or batch type applications



13

Federated SOA: A Pre-requisite for Enterprise-to-Cloud Migration

• Federated SOA– Successful enterprise SOA implementations build on a set of localized, project-

level efforts with services that have clearly identified and accountable business and technology owners.

Post-2008 Trend towards core business focus Federation



14

Perquisite #1: Federated Identity

• Driver– All interactions across SOA Domains require identity tokens– Two Dimensional: Transaction and Management identities need to be addressed

• Many Token Types– Protocol: HTTP Basic Auth, SSL Mutual Auth, Cookies– Content: WS-Username, WS-X.509, WS-SAML, WS-Kerberos, SAML

• Enterprise Cloud Computing Implications– Enterprise have to consume and generate different token types– Token types across IaaS providers are non-standard (proprietary Hashing)– Centralize Token Management across multiple cloud vendors

LDAP



15

Perquisite #2: Interoperability

• Driver– Varying messages formats generated and consumed by a large

variety of application types– Message formats are domain and application specific – cannot be

mandated and altered readily

• Interoperability Categories– Message

– Structural: JSON SOAP– Semantic: PONum PurchaseOrderNumber

– Protocol– Across SOA Domains: HTTP (AS/2)– Closer to Mainframes: JMS, MQSeries, FTP

• Enterprise Cloud Computing Implications– Cloud Management: Varying APIs across providers– Protocol and Message transformation– Parsing XML and SOAP, extracting service information from

WSDLs, HTTP Header manipulation– Extensive Testing infrastructure



16

Perquisite #3: Message Hygiene

• Driver– Large volume of messages have to safely make it to their destination

without any tampering.– Cannot lose a single message in mission critical environments

• Checking for Message Hygiene– Message Structure in within the bounds provided by schema (XSD).– Attachments are clean (no malware has been added).– Run-time centralize checking of message hygiene quarantine, analyze,

remediate

• Enterprise Cloud Computing Implications– Unadvertised changes to services can cause outages– Management and Transaction type messages require inspection– Good Cloud Citizens check their messages before invoking management

APIs



17

Perquisite #4: Security and Reliability

• Drivers– Messages should not be compromised – and they should make it to their final

destination– SLAs and Regulations

• Security– Protocol Level: SSL– Content Level: XML Security Encryption and Signatures

• Reliability– HTTP inherently unreliable – JMS not used for cross Domain communication– Use Re-tries, WS-RM not available for IaaS

• Enterprise Cloud Computing Implications– Well developed PKI Management– Established SSL communication infrastructure– Content-level security for communications and IaaS apps– Controlling image/instance movement



18

• Planning: – Think Global, Act Local

• Business Drivers/Owners– Business Service Owner– Technology Owner

• Requirements:– Establishing Trust: Federated Identity Management– Interoperability: Varying Message Types– Flexibility: Virtualization & Leveraging Legacy Systems– Message Hygiene: Check/Validate In-bound and Out-bound Messages– Governance: Enforce, Measure and Audit SOA policies

• Lessons– Federated SOA is NOT a product or technology, it is an architecture and

philosophy– Architecture: May not get everything right on 1st implementation, but be sure the

get the architecture right.– Federated SOA is hard, but with the right approach, it can unlock tremendous

value

Tools, Techniques and Best Practices for Migration



Mission Critical Deployments • Synovus Financials is a $33B Financial Institution that provides retail

and commercial banking throughout South East U.S.

• Deployed a Federated SOA strategy for call centers, branch platforms, deposit platforms, loan platforms, Internet and Mobile Banking

• Cut $1M/year in 3rd Party processing in just the first year.

• Unified Customer activity view

• Integrated Systems and Portals with over 35 trading partners

• Over 2 Billion Transactions Per Year; 150,000 Concurrent Users

• 20 Appliances across 2 Data Centers

• Winner of Grand Prize – CIO Magazine

“It's hard as a customer service rep to look credible in front of the client when you don't have the transaction related facts easily at your disposal.” – John Woolbright, CTO

19



20

Dep

loym

ent

Sce

nario

– S

ynov

us F

inan

cial



Extending Federated SOA to Cloud ComputingSimulate and Model Migration

21



22

Identity Token Generator, WS-Security, Native PKI, Runtime State Machine

SERVICE SIMULATION CLOUD MIGRATION

• Point and click WSDL and XML Simulation• Simple and Complex business logic simulation• Verify Client Functional Adherence• Allows Parallel Client and Service Development • Improve interoperability• Provide consistency across organizational

lifecycle

• Enterprise-to-Cloud Interaction• Model Services, ESBs, Application Servers, Databases• Cloud Instance Performance, Latency and “Spin-up” Time• Cloud Failures, Outages and Application Error State• Security, Capacity, Interoperability• Centralized Policy Control

Point-and-Click Test Generator, Custom WSDL Parser, Custom SOAP Generator, Governance Scanning Engine

Cloud Adapters: Amazon EC2, GoGrid, OpSource



Extending Federated SOA to Cloud ComputingSecure and Reliable Enterprise-to-Cloud Communication

23



24

Questions/Comments?

Mamoon Yunus: [email protected]

Visit us @ Booth #13

(iPad)

extending soa to public clouds through federated soa

Documents