© 2004-2010 Crosscheck Networks

"Requirements for Extending Enterprise SOA to Public Clouds

Proprietary and Confidential

1

© 2004-2010 Crosscheck Networks

Agenda
• • • • • Understanding Clouds Migration Risks and Costs Federated SOA: A Pre-requisite for Migration Best Practices: Extending Federated SOA to Cloud Computing Questions/Comments

Proprietary and Confidential

2

© 2004-2010 Crosscheck Networks

Understanding Cloud Computing
• My Favorite Definition:
– "..the market seems to have come to the conclusion that cloud computing has a lot in common with obscenity-- you may not be able to to define it, but you'll know it when you see it." James Urquhart

Definition (NIST):
– – – – – On demand Self Service Resource Pooling Rapid Elasticity Measured Service Broad Network Access

Proprietary and Confidential

3

© 2004-2010 Crosscheck Networks

Understanding Cloud Computing
• Software as a Service (SaaS)
– Provides a fully functional application and potentially an API – Salesforce.com, Netsuite, Gmail, etc.

Platform as a Service (PaaS)
– runtime environment for the application and an integrated application stack – MS Azure, Google App Engine

Infrastructure as a Service (IaaS)
– set of virtualized components that can be used to construct and run an application – Amazon EC2, Rackspace, GoGrid

Proprietary and Confidential

4

© 2004-2010 Crosscheck Networks

Cloud Vendors – IaaS
• IaaS Vendors with APIs 1. Amazon EC2 2. GoGrid 3. OpSource 4. Rackspace 5. Flexiscale

Proprietary and Confidential

5

© 2004-2010 Crosscheck Networks

Core Migration Questions
• • • What applications or its components should be migrated to the cloud? What should be the order/priority of migration? Which IaaS cloud provider should be selected based on application performance and reliability requirements? How do I mitigate enterprise-to-cloud migration risk?

Proprietary and Confidential

6

© 2004-2010 Crosscheck Networks

Typical Enterprise-to-Cloud Migration Process
• Select Business Application, Services or Components
– Re-use – High scaling demands – current scaling model not sustainable – Quick spin-up times

Select IaaS provider
– Register – Get Identity Key – Select Server Class

Install/Activate Components
– Build full reference system with test data in the cloud – Database, ESB, Application Server, CMS, Identity store

Test Enterprise-to-Cloud Interaction to evaluate:
– – – – – Security, Reliability Communication Protocols: Transactions + Management Class of Servers provided by IaaS vendor Memory, CPU, Storage characteristics is a multi-tenant environment Performance characteristics of Cloud infrastructure at various times
Proprietary and Confidential

7

© 2004-2010 Crosscheck Networks

Enterprise-to-Cloud Migration Risks and Costs
• Risks
– – – – Security and Reliability Added latency of Enterprise-to-Cloud Network hops Timeouts, message delivery errors Performance variability of multi-tenant environments

Costs
– IaaS provider costs are minimal but vary: $0.08/hr to $2.40/hr – Installation/bundling/imaging costs – Establishing Enterprise-to-Cloud communication (Cloud Gateway, ESB, Application Server, Load balancer, Firewall) – Hand coding “what-if” scenarios for:
 Timeouts  message delivery errors  security profiles

– Evaluate Multiple IaaS providers
 Different Token Types  Different Management APIs  Different Sever Classes and cost structure

Proprietary and Confidential

8

© 2004-2010 Crosscheck Networks

Alternative Migration Strategy: Cloud Simulation
• Cloud Simulation and Migration Modeling
– Instead of building a fully-functional reference architecture across multiple cloud providers – Simulate prior to implementation – reduce risk, don’t touch production code

Expenses that can be eliminated/reduced through simulation and modeling
– A full-scale, redundant architecture that involves hardware acquisition and software licensing costs – Hiring dedicated development teams to perform testing and benchmarking – Custom hand-coding “what if” scenarios to determine error conditions related to latency, performance, scalability and security

Quantifiable information necessary for understanding Enterprise-to-IaaS
– – – – Performance metrics Geographic latency and service initiation/“spin-up” times Failures, outages and application error states Security, capacity and interoperability

Proprietary and Confidential

9

© 2004-2010 Crosscheck Networks

Cost-Risk Trade-offs
• • Enterprise-to-Cloud migration simulation may reveal key trade-offs between cost and risk factors Costs
– Server Class: – server class required within a cloud provider to maintain the required application performance thresholds may be cost prohibitive. – Top-end : entry-level = 30:1 – Multiple Cloud Providers: redundancy and failover – Varying Cost Structure – Other cost factors – costs of securing, managing and monitoring enterprise-to-cloud interaction – the actual cost of migration.

Proprietary and Confidential

10

© 2004-2010 Crosscheck Networks

Cost-Risk Trade-offs: Sample IaaS provider costs

Proprietary and Confidential

11

© 2004-2010 Crosscheck Networks

Cost-Risk Trade-offs
• Risks
– Change in Topology by adding “Cloud Node.” – Performance variability, especially significant in shared, multi-tenant environment – Cloud Reliability – Outages require redundancy across providers – Security – New processes have to be instituted – Secure Enterprise-to-Cloud communication – Data is encrypted in shared environment – Clean up once instances are terminated.

Possible Trade-off Results
– Application suited for a private cloud with only capacity off-loaded to cloud temporarily. – Latency added by Cloud node may be unacceptable. Candidates may be asynchronous or batch type applications

Proprietary and Confidential

12

© 2004-2010 Crosscheck Networks

Federated SOA: A Pre-requisite for Enterprise-toCloud Migration
• Federated SOA
– Successful enterprise SOA implementations build on a set of localized, projectlevel efforts with services that have clearly identified and accountable business and technology owners.

Post-2008 Trend towards core business focus  Federation

Proprietary and Confidential

13

© 2004-2010 Crosscheck Networks

Perquisite #1: Federated Identity
• Driver
– All interactions across SOA Domains require identity tokens – Two Dimensional: Transaction and Management identities need to be addressed

Many Token Types
– Protocol: HTTP Basic Auth, SSL Mutual Auth, Cookies – Content: WS-Username, WS-X.509, WS-SAML, WS-Kerberos, SAML

Enterprise Cloud Computing Implications
– Enterprise have to consume and generate different token types – Token types across IaaS providers are non-standard (proprietary Hashing) – Centralize Token Management across multiple cloud vendors
LDAP

Proprietary and Confidential

14

© 2004-2010 Crosscheck Networks

Perquisite #2: Interoperability
• Driver
– Varying messages formats generated and consumed by a large variety of application types – Message formats are domain and application specific – cannot be mandated and altered readily

Interoperability Categories
– Message – Structural: JSON  SOAP – Semantic: PONum  PurchaseOrderNumber – Protocol – Across SOA Domains: HTTP (AS/2) – Closer to Mainframes: JMS, MQSeries, FTP

Enterprise Cloud Computing Implications
– Cloud Management: Varying APIs across providers – Protocol and Message transformation – Parsing XML and SOAP, extracting service information from WSDLs, HTTP Header manipulation – Extensive Testing infrastructure

Proprietary and Confidential

15

© 2004-2010 Crosscheck Networks

Perquisite #3: Message Hygiene
• Driver
– Large volume of messages have to safely make it to their destination without any tampering. – Cannot lose a single message in mission critical environments

Checking for Message Hygiene
– Message Structure in within the bounds provided by schema (XSD). – Attachments are clean (no malware has been added). – Run-time centralize checking of message hygiene  quarantine, analyze, remediate

Enterprise Cloud Computing Implications
– Unadvertised changes to services can cause outages – Management and Transaction type messages require inspection – Good Cloud Citizens check their messages before invoking management APIs

Proprietary and Confidential

16

© 2004-2010 Crosscheck Networks

Perquisite #4: Security and Reliability
• Drivers
– Messages should not be compromised – and they should make it to their final destination – SLAs and Regulations

Security
– Protocol Level: SSL – Content Level: XML Security  Encryption and Signatures

Reliability
– HTTP inherently unreliable – JMS not used for cross Domain communication – Use Re-tries, WS-RM not available for IaaS

Enterprise Cloud Computing Implications
– – – – Well developed PKI Management Established SSL communication infrastructure Content-level security for communications and IaaS apps Controlling image/instance movement

Proprietary and Confidential

17

© 2004-2010 Crosscheck Networks

Tools, Techniques and Best Practices for Migration
• • Planning:
– Think Global, Act Local

Business Drivers/Owners
– Business Service Owner – Technology Owner

Requirements:
– – – – – Establishing Trust: Federated Identity Management Interoperability: Varying Message Types Flexibility: Virtualization & Leveraging Legacy Systems Message Hygiene: Check/Validate In-bound and Out-bound Messages Governance: Enforce, Measure and Audit SOA policies

Lessons
– Federated SOA is NOT a product or technology, it is an architecture and philosophy – Architecture: May not get everything right on 1st implementation, but be sure the get the architecture right. – Federated SOA is hard, but with the right approach, it can unlock tremendous value

Proprietary and Confidential

18

© 2004-2010 Crosscheck Networks

Mission Critical Deployments
• Synovus Financials is a $33B Financial Institution that provides retail and commercial banking throughout South East U.S. Deployed a Federated SOA strategy for call centers, branch platforms, deposit platforms, loan platforms, Internet and Mobile Banking Cut $1M/year in 3rd Party processing in just the first year. Unified Customer activity view Integrated Systems and Portals with over 35 trading partners Over 2 Billion Transactions Per Year; 150,000 Concurrent Users 20 Appliances across 2 Data Centers Winner of Grand Prize – CIO Magazine •

“It's hard as a customer service rep to look credible in front of the client when you don't have the transaction related facts easily at your disposal.” – John Woolbright, CTO

• • • • • •

Proprietary and Confidential

19

© 2004-2010 Crosscheck Networks

Deployment Scenario – Synovus Financial

Proprietary and Confidential

20

© 2004-2010 Crosscheck Networks

Extending Federated SOA to Cloud Computing
Simulate and Model Migration

Proprietary and Confidential

21

© 2004-2010 Crosscheck Networks

SERVICE SIMULATION
• Point and click WSDL and XML Simulation • Simple and Complex business logic simulation • Verify Client Functional Adherence • Allows Parallel Client and Service Development • Improve interoperability • Provide consistency across organizational lifecycle

CLOUD MIGRATION
• Enterprise-to-Cloud Interaction • Model Services, ESBs, Application Servers, Databases • Cloud Instance Performance, Latency and “Spin-up” Time • Cloud Failures, Outages and Application Error State • Security, Capacity, Interoperability • Centralized Policy Control

Identity Token Generator, WS-Security, Native PKI, Runtime State Machine Point-and-Click Test Generator, Custom WSDL Parser, Custom SOAP Generator, Governance Scanning Engine Cloud Adapters: Amazon EC2, GoGrid, OpSource

Proprietary and Confidential

22

© 2004-2010 Crosscheck Networks

Extending Federated SOA to Cloud Computing
Secure and Reliable Enterprise-to-Cloud Communication

Proprietary and Confidential

23

© 2004-2010 Crosscheck Networks

Questions/Comments? Mamoon Yunus: myunus@crosschecknet.com Visit us @ Booth #13 (iPad)

Proprietary and Confidential

24