© 2004-2010 Crosscheck Networks

"Requirements
for Extending
Enterprise SOA to Public Clouds

Proprietary and Confidential 1

© 2004-2010 Crosscheck Networks

Agenda

• Understanding Clouds

• Migration Risks and Costs

• Federated SOA: A Pre-requisite for Migration

• Best Practices: Extending Federated SOA to Cloud Computing

• Questions/Comments

Proprietary and Confidential 2

© 2004-2010 Crosscheck Networks

Understanding Cloud Computing

• My Favorite Definition:
– "..the market seems to have come to the conclusion that cloud computing has a lot in
common with obscenity-- you may not be able to to define it, but you'll know it when
you see it." James Urquhart

• Definition (NIST):
– On demand Self Service
– Resource Pooling
– Rapid Elasticity
– Measured Service
– Broad Network Access

Proprietary and Confidential 3

© 2004-2010 Crosscheck Networks

Understanding Cloud Computing

• Software as a Service (SaaS)
– Provides a fully functional application and potentially an API
– Salesforce.com, Netsuite, Gmail, etc.

• Platform as a Service (PaaS)

– runtime environment for the application and an integrated application stack
– MS Azure, Google App Engine

• Infrastructure as a Service (IaaS)

– set of virtualized components that can be used to construct and run an application
– Amazon EC2, Rackspace, GoGrid

Proprietary and Confidential 4

© 2004-2010 Crosscheck Networks

Cloud Vendors – IaaS

• IaaS Vendors with APIs
1. Amazon EC2
2. GoGrid
3. OpSource
4. Rackspace
5. Flexiscale

Proprietary and Confidential 5

© 2004-2010 Crosscheck Networks

Core Migration Questions

• What applications or its components should be migrated to the cloud?

• What should be the order/priority of migration?

• Which IaaS cloud provider should be selected based on application performance

and reliability requirements?

• How do I mitigate enterprise-to-cloud migration risk?

Proprietary and Confidential 6

© 2004-2010 Crosscheck Networks

Typical Enterprise-to-Cloud Migration Process

• Select Business Application, Services or Components
– Re-use
– High scaling demands – current scaling model not sustainable
– Quick spin-up times

• Select IaaS provider

– Register
– Get Identity Key
– Select Server Class

• Install/Activate Components
– Build full reference system with test data in the cloud
– Database, ESB, Application Server, CMS, Identity store

• Test Enterprise-to-Cloud Interaction to evaluate:

– Security, Reliability
– Communication Protocols: Transactions + Management
– Class of Servers provided by IaaS vendor
– Memory, CPU, Storage characteristics is a multi-tenant environment
– Performance characteristics of Cloud infrastructure at various times

Proprietary and Confidential 7

© 2004-2010 Crosscheck Networks

Enterprise-to-Cloud Migration Risks and Costs

• Risks
– Security and Reliability
– Added latency of Enterprise-to-Cloud Network hops
– Timeouts, message delivery errors
– Performance variability of multi-tenant environments

• Costs
– IaaS provider costs are minimal but vary: $0.08/hr to $2.40/hr
– Installation/bundling/imaging costs
– Establishing Enterprise-to-Cloud communication (Cloud Gateway, ESB,
Application Server, Load balancer, Firewall)
– Hand coding “what-if” scenarios for:
 Timeouts
 message delivery errors
 security profiles
– Evaluate Multiple IaaS providers
 Different Token Types
 Different Management APIs
 Different Sever Classes and cost structure

Proprietary and Confidential 8

© 2004-2010 Crosscheck Networks

Alternative Migration Strategy: Cloud Simulation

• Cloud Simulation and Migration Modeling
– Instead of building a fully-functional reference architecture across multiple cloud
providers
– Simulate prior to implementation – reduce risk, don’t touch production code

• Expenses that can be eliminated/reduced through simulation and modeling

– A full-scale, redundant architecture that involves hardware acquisition and
software licensing costs
– Hiring dedicated development teams to perform testing and benchmarking
– Custom hand-coding “what if” scenarios to determine error conditions related to
latency, performance, scalability and security

• Quantifiable information necessary for understanding Enterprise-to-IaaS

– Performance metrics
– Geographic latency and service initiation/“spin-up” times
– Failures, outages and application error states
– Security, capacity and interoperability

Proprietary and Confidential 9

© 2004-2010 Crosscheck Networks

Cost-Risk Trade-offs
• Enterprise-to-Cloud migration simulation may reveal key trade-offs between
cost and risk factors

• Costs
– Server Class:
– server class required within a cloud provider to maintain the required
application performance thresholds may be cost prohibitive.
– Top-end : entry-level = 30:1

– Multiple Cloud Providers: redundancy and failover

– Varying Cost Structure

– Other cost factors

– costs of securing, managing and monitoring enterprise-to-cloud interaction
– the actual cost of migration.

Proprietary and Confidential 10

© 2004-2010 Crosscheck Networks

Cost-Risk Trade-offs: Sample IaaS provider costs

Proprietary and Confidential 11

© 2004-2010 Crosscheck Networks

Cost-Risk Trade-offs
• Risks
– Change in Topology by adding “Cloud Node.”

– Performance variability, especially significant in shared, multi-tenant environment

– Cloud Reliability – Outages require redundancy across providers

– Security – New processes have to be instituted

– Secure Enterprise-to-Cloud communication
– Data is encrypted in shared environment
– Clean up once instances are terminated.

• Possible Trade-off Results

– Application suited for a private cloud with only capacity off-loaded to cloud
temporarily.

– Latency added by Cloud node may be unacceptable. Candidates may be

asynchronous or batch type applications

Proprietary and Confidential 12

© 2004-2010 Crosscheck Networks

Federated SOA: A Pre-requisite for Enterprise-to-

Cloud Migration
• Federated SOA
– Successful enterprise SOA implementations build on a set of localized, project-
level efforts with services that have clearly identified and accountable business
and technology owners.

Post-2008 Trend towards core business focus  Federation

Proprietary and Confidential 13

© 2004-2010 Crosscheck Networks

Perquisite #1: Federated Identity

• Driver
– All interactions across SOA Domains require identity tokens
– Two Dimensional: Transaction and Management identities need to be addressed

• Many Token Types

– Protocol: HTTP Basic Auth, SSL Mutual Auth, Cookies
– Content: WS-Username, WS-X.509, WS-SAML, WS-Kerberos, SAML

• Enterprise Cloud Computing Implications

– Enterprise have to consume and generate different token types
– Token types across IaaS providers are non-standard (proprietary Hashing)
– Centralize Token Management across multiple cloud vendors

LDAP

Proprietary and Confidential 14

© 2004-2010 Crosscheck Networks

Perquisite #2: Interoperability

• Driver
– Varying messages formats generated and consumed by a large
variety of application types
– Message formats are domain and application specific – cannot be
mandated and altered readily

• Interoperability Categories
– Message
– Structural: JSON  SOAP
– Semantic: PONum  PurchaseOrderNumber
– Protocol
– Across SOA Domains: HTTP (AS/2)
– Closer to Mainframes: JMS, MQSeries, FTP

• Enterprise Cloud Computing Implications

– Cloud Management: Varying APIs across providers
– Protocol and Message transformation
– Parsing XML and SOAP, extracting service information from
WSDLs, HTTP Header manipulation
– Extensive Testing infrastructure

Proprietary and Confidential 15

© 2004-2010 Crosscheck Networks

Perquisite #3: Message Hygiene

• Driver
– Large volume of messages have to safely make it to their destination
without any tampering.
– Cannot lose a single message in mission critical environments

• Checking for Message Hygiene

– Message Structure in within the bounds provided by schema (XSD).
– Attachments are clean (no malware has been added).
– Run-time centralize checking of message hygiene  quarantine, analyze,
remediate

• Enterprise Cloud Computing Implications

– Unadvertised changes to services can cause outages
– Management and Transaction type messages require inspection
– Good Cloud Citizens check their messages before invoking management
APIs

Proprietary and Confidential 16

© 2004-2010 Crosscheck Networks

Perquisite #4: Security and Reliability

• Drivers
– Messages should not be compromised – and they should make it to their final
destination
– SLAs and Regulations

• Security
– Protocol Level: SSL
– Content Level: XML Security  Encryption and Signatures

• Reliability
– HTTP inherently unreliable – JMS not used for cross Domain communication
– Use Re-tries, WS-RM not available for IaaS

• Enterprise Cloud Computing Implications

– Well developed PKI Management
– Established SSL communication infrastructure
– Content-level security for communications and IaaS apps
– Controlling image/instance movement

Proprietary and Confidential 17

© 2004-2010 Crosscheck Networks

Tools, Techniques and Best Practices for Migration

• Planning:
– Think Global, Act Local

• Business Drivers/Owners
– Business Service Owner
– Technology Owner

• Requirements:
– Establishing Trust: Federated Identity Management
– Interoperability: Varying Message Types
– Flexibility: Virtualization & Leveraging Legacy Systems
– Message Hygiene: Check/Validate In-bound and Out-bound Messages
– Governance: Enforce, Measure and Audit SOA policies

• Lessons
– Federated SOA is NOT a product or technology, it is an architecture and philosophy
– Architecture: May not get everything right on 1st implementation, but be sure the get
the architecture right.
– Federated SOA is hard, but with the right approach, it can unlock tremendous value

Proprietary and Confidential 18

© 2004-2010 Crosscheck Networks

Mission Critical Deployments

• Synovus Financials is a $33B Financial Institution that provides retail and commercial banking throughout
South East U.S.

• Deployed a Federated SOA strategy for call centers, branch platforms, deposit platforms, loan platforms,
Internet and Mobile Banking
“It's hard as
a customer • Cut $1M/year in 3rd Party processing in just the first year.
service rep
to look • Unified Customer activity view
credible in
front of the • Integrated Systems and Portals with over 35 trading partners
client when
you don't • Over 2 Billion Transactions Per Year; 150,000 Concurrent Users

have the
transaction • 20 Appliances across 2 Data Centers

related facts
easily at • Winner of Grand Prize – CIO Magazine

your
disposal.” –
John
Woolbright,
CTO

Proprietary and Confidential 19

© 2004-2010 Crosscheck Networks

Deployment Scenario – Synovus Financial

Proprietary and Confidential 20

© 2004-2010 Crosscheck Networks

Extending Federated SOA to Cloud Computing

Simulate and Model Migration

Proprietary and Confidential 21

© 2004-2010 Crosscheck Networks

SERVICE SIMULATION CLOUD MIGRATION

• Point and click WSDL and XML Simulation • Enterprise-to-Cloud Interaction

• Simple and Complex business logic simulation
• Verify Client Functional Adherence
• Allows Parallel Client and Service Development
• Improve interoperability
• Provide consistency across organizational lifecycle
• Model Services, ESBs, Application Servers, Databases
• Cloud Instance Performance, Latency and “Spin-up” Time
• Cloud Failures, Outages and Application Error State
• Security, Capacity, Interoperability
• Centralized Policy Control

Identity Token Generator, WS-Security, Native PKI, Runtime State Machine

Point-and-Click Test Generator, Custom WSDL Parser, Custom SOAP Generator, Governance Scanning Engine

Cloud Adapters: Amazon EC2, GoGrid, OpSource

Proprietary and Confidential 22

© 2004-2010 Crosscheck Networks

Extending Federated SOA to Cloud Computing

Secure and Reliable Enterprise-to-Cloud Communication

Proprietary and Confidential 23

© 2004-2010 Crosscheck Networks

Questions/Comments?
Mamoon Yunus: myunus@crosschecknet.com

Visit us @ Booth #13

(iPad)

Proprietary and Confidential 24