extending soa to public clouds through federated soa
DESCRIPTION
This powerpoint present at the SOA Cloud Symposium in Berlin defines cloud computing and looks at the pre-requisites for extending enterprise infrastructure to cloud computing.TRANSCRIPT
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
1
"Requirements
for Extending
Enterprise SOA to Public Clouds
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
2
• Understanding Clouds
• Migration Risks and Costs
• Federated SOA: A Pre-requisite for Migration
• Best Practices: Extending Federated SOA to Cloud Computing
• Questions/Comments
Agenda
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
3
• My Favorite Definition:– "..the market seems to have come to the conclusion that cloud computing has a
lot in common with obscenity-- you may not be able to to define it, but you'll know it when you see it." James Urquhart
• Definition (NIST): – On demand Self Service– Resource Pooling– Rapid Elasticity– Measured Service– Broad Network Access
Understanding Cloud Computing
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
4
• Software as a Service (SaaS)– Provides a fully functional application and potentially an API– Salesforce.com, Netsuite, Gmail, etc.
• Platform as a Service (PaaS)– runtime environment for the application and an integrated application stack– MS Azure, Google App Engine
• Infrastructure as a Service (IaaS)– set of virtualized components that can be used to construct and run an application– Amazon EC2, Rackspace, GoGrid
Understanding Cloud Computing
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
5
• IaaS Vendors with APIs1. Amazon EC22. GoGrid3. OpSource4. Rackspace5. Flexiscale
Cloud Vendors – IaaS
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
6
• What applications or its components should be migrated to the cloud?
• What should be the order/priority of migration?
• Which IaaS cloud provider should be selected based on application performance and reliability requirements?
• How do I mitigate enterprise-to-cloud migration risk?
Core Migration Questions
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
7
Typical Enterprise-to-Cloud Migration Process
• Select Business Application, Services or Components– Re-use– High scaling demands – current scaling model not sustainable– Quick spin-up times
• Select IaaS provider– Register– Get Identity Key– Select Server Class
• Install/Activate Components– Build full reference system with test data in the cloud– Database, ESB, Application Server, CMS, Identity store
• Test Enterprise-to-Cloud Interaction to evaluate:– Security, Reliability– Communication Protocols: Transactions + Management– Class of Servers provided by IaaS vendor– Memory, CPU, Storage characteristics is a multi-tenant environment– Performance characteristics of Cloud infrastructure at various times
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
8
Enterprise-to-Cloud Migration Risks and Costs
• Risks– Security and Reliability– Added latency of Enterprise-to-Cloud Network hops– Timeouts, message delivery errors– Performance variability of multi-tenant environments
• Costs– IaaS provider costs are minimal but vary: $0.08/hr to $2.40/hr– Installation/bundling/imaging costs– Establishing Enterprise-to-Cloud communication (Cloud Gateway, ESB,
Application Server, Load balancer, Firewall)– Hand coding “what-if” scenarios for:
Timeouts message delivery errors security profiles
– Evaluate Multiple IaaS providers Different Token Types Different Management APIs Different Sever Classes and cost structure
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
9
Alternative Migration Strategy: Cloud Simulation
• Cloud Simulation and Migration Modeling– Instead of building a fully-functional reference architecture across multiple cloud
providers– Simulate prior to implementation – reduce risk, don’t touch production code
• Expenses that can be eliminated/reduced through simulation and modeling– A full-scale, redundant architecture that involves hardware acquisition and
software licensing costs– Hiring dedicated development teams to perform testing and benchmarking– Custom hand-coding “what if” scenarios to determine error conditions related to
latency, performance, scalability and security
• Quantifiable information necessary for understanding Enterprise-to-IaaS– Performance metrics– Geographic latency and service initiation/“spin-up” times– Failures, outages and application error states– Security, capacity and interoperability
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
10
Cost-Risk Trade-offs
• Enterprise-to-Cloud migration simulation may reveal key trade-offs between cost and risk factors
• Costs– Server Class:
– server class required within a cloud provider to maintain the required application performance thresholds may be cost prohibitive.
– Top-end : entry-level = 30:1
– Multiple Cloud Providers: redundancy and failover– Varying Cost Structure
– Other cost factors– costs of securing, managing and monitoring enterprise-to-cloud interaction– the actual cost of migration.
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
11
Cost-Risk Trade-offs: Sample IaaS provider costs
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
12
Cost-Risk Trade-offs
• Risks– Change in Topology by adding “Cloud Node.”
– Performance variability, especially significant in shared, multi-tenant environment
– Cloud Reliability – Outages require redundancy across providers
– Security – New processes have to be instituted– Secure Enterprise-to-Cloud communication– Data is encrypted in shared environment– Clean up once instances are terminated.
• Possible Trade-off Results– Application suited for a private cloud with only capacity off-loaded to cloud
temporarily.
– Latency added by Cloud node may be unacceptable. Candidates may be asynchronous or batch type applications
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
13
Federated SOA: A Pre-requisite for Enterprise-to-Cloud Migration
• Federated SOA– Successful enterprise SOA implementations build on a set of localized, project-
level efforts with services that have clearly identified and accountable business and technology owners.
Post-2008 Trend towards core business focus Federation
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
14
Perquisite #1: Federated Identity
• Driver– All interactions across SOA Domains require identity tokens– Two Dimensional: Transaction and Management identities need to be addressed
• Many Token Types– Protocol: HTTP Basic Auth, SSL Mutual Auth, Cookies– Content: WS-Username, WS-X.509, WS-SAML, WS-Kerberos, SAML
• Enterprise Cloud Computing Implications– Enterprise have to consume and generate different token types– Token types across IaaS providers are non-standard (proprietary Hashing)– Centralize Token Management across multiple cloud vendors
LDAP
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
15
Perquisite #2: Interoperability
• Driver– Varying messages formats generated and consumed by a large
variety of application types– Message formats are domain and application specific – cannot be
mandated and altered readily
• Interoperability Categories– Message
– Structural: JSON SOAP– Semantic: PONum PurchaseOrderNumber
– Protocol– Across SOA Domains: HTTP (AS/2)– Closer to Mainframes: JMS, MQSeries, FTP
• Enterprise Cloud Computing Implications– Cloud Management: Varying APIs across providers– Protocol and Message transformation– Parsing XML and SOAP, extracting service information from
WSDLs, HTTP Header manipulation– Extensive Testing infrastructure
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
16
Perquisite #3: Message Hygiene
• Driver– Large volume of messages have to safely make it to their destination
without any tampering.– Cannot lose a single message in mission critical environments
• Checking for Message Hygiene– Message Structure in within the bounds provided by schema (XSD).– Attachments are clean (no malware has been added).– Run-time centralize checking of message hygiene quarantine, analyze,
remediate
• Enterprise Cloud Computing Implications– Unadvertised changes to services can cause outages– Management and Transaction type messages require inspection– Good Cloud Citizens check their messages before invoking management
APIs
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
17
Perquisite #4: Security and Reliability
• Drivers– Messages should not be compromised – and they should make it to their final
destination– SLAs and Regulations
• Security– Protocol Level: SSL– Content Level: XML Security Encryption and Signatures
• Reliability– HTTP inherently unreliable – JMS not used for cross Domain communication– Use Re-tries, WS-RM not available for IaaS
• Enterprise Cloud Computing Implications– Well developed PKI Management– Established SSL communication infrastructure– Content-level security for communications and IaaS apps– Controlling image/instance movement
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
18
• Planning: – Think Global, Act Local
• Business Drivers/Owners– Business Service Owner– Technology Owner
• Requirements:– Establishing Trust: Federated Identity Management– Interoperability: Varying Message Types– Flexibility: Virtualization & Leveraging Legacy Systems– Message Hygiene: Check/Validate In-bound and Out-bound Messages– Governance: Enforce, Measure and Audit SOA policies
• Lessons– Federated SOA is NOT a product or technology, it is an architecture and
philosophy– Architecture: May not get everything right on 1st implementation, but be sure the
get the architecture right.– Federated SOA is hard, but with the right approach, it can unlock tremendous
value
Tools, Techniques and Best Practices for Migration
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
Mission Critical Deployments • Synovus Financials is a $33B Financial Institution that provides retail
and commercial banking throughout South East U.S.
• Deployed a Federated SOA strategy for call centers, branch platforms, deposit platforms, loan platforms, Internet and Mobile Banking
• Cut $1M/year in 3rd Party processing in just the first year.
• Unified Customer activity view
• Integrated Systems and Portals with over 35 trading partners
• Over 2 Billion Transactions Per Year; 150,000 Concurrent Users
• 20 Appliances across 2 Data Centers
• Winner of Grand Prize – CIO Magazine
“It's hard as a customer service rep to look credible in front of the client when you don't have the transaction related facts easily at your disposal.” – John Woolbright, CTO
19
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
20
Dep
loym
ent
Sce
nario
– S
ynov
us F
inan
cial
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
Extending Federated SOA to Cloud ComputingSimulate and Model Migration
21
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
22
Identity Token Generator, WS-Security, Native PKI, Runtime State Machine
SERVICE SIMULATION CLOUD MIGRATION
• Point and click WSDL and XML Simulation• Simple and Complex business logic simulation• Verify Client Functional Adherence• Allows Parallel Client and Service Development • Improve interoperability• Provide consistency across organizational
lifecycle
• Enterprise-to-Cloud Interaction• Model Services, ESBs, Application Servers, Databases• Cloud Instance Performance, Latency and “Spin-up” Time• Cloud Failures, Outages and Application Error State• Security, Capacity, Interoperability• Centralized Policy Control
Point-and-Click Test Generator, Custom WSDL Parser, Custom SOAP Generator, Governance Scanning Engine
Cloud Adapters: Amazon EC2, GoGrid, OpSource
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
Extending Federated SOA to Cloud ComputingSecure and Reliable Enterprise-to-Cloud Communication
23
Proprietary and Confidential
© 2004-2010 Crosscheck Networks
24
Questions/Comments?
Mamoon Yunus: [email protected]
Visit us @ Booth #13
(iPad)