Connecting SOA to the Cloud

Who do you trust to meter the Cloud?

2009-12-31T12:13:00.000-08:00

Tom Raftery at Greenmonk (the green shoot from Redmonk) has a great analysis of the disastrous use of smart meters by PG&E in Bakersfield, California.

He quotes SmartMeters.com that:

Bakersfield residents believe their new smart meters are malfunctioning because their bills are much higher than before. PG&E claims higher bills are due to rate hikes, an unusually warm summer, and customers not shifting demand to off-peak times when rates are lower.
http://www.smartmeters.com/the-news/682-lawsuit-filed-against-pgae-for-smart-meter-overcharges.html

In the same story on smartmeters.com, State Senator Dean Florez, the Majority Leader in California, is quoted as saying “People think these meters are fraud meters. They feel they’re being defrauded. They’re getting no benefit from these things.”

This after $2.2b (yes, billion) was spent on the project.

Tom Raftery goes on to say:

One of the advantages of a smart grid is that the two way flow of information will allow utilities to alert customers to real-time electricity pricing via an in-home display. PG&E have not rolled out in-home displays with their smart meters, presumably for cost reasons. If they lose the class-action law suit, that may turn out to have been an unwise decision.
http://greenmonk.net/pge-smart-meter-communication-failure/

There is a better way, however:

What PG&E should have is a system where customers can see their electrical consumption in real-time (on their phone, on their computer, on their in-home display, etc.) but also, in the same way that credit card companies contact me if purchasing goes out of my normal pattern, PG&E should have a system in place to contact customers whose bills are going seriously out of kilter. Preferably a system which alerts people in realtime if they are consuming too much electricity when the price is high, through their in-home display, via sms,Twitter DM, whatever.
http://greenmonk.net/pge-smart-meter-communication-failure/

So what has this got to do with Cloud Computing? Quite a lot, actually. Customers of Cloud services right now depend on the "meters" being provided by the service providers themselves. Just like the PG&E customers in Bakersfield. This means that they depend on the service provider itself to tell them about usage and pricing. There isn't an independent audit trail of usage. The meter also locks the customer into the service provider.

A Cloud Service Broker addresses these issues. It is not a coincidence that much Cloud Service Broker terminology carries over from the world of utilities - it is solving the same problem:

Data transfer to cloud computing environments must be controlled, to avoid unwarranted usage levels and unanticipated bills from over usage of cloud services. By providing local metering of cloud services' usage, local control is applied to cloud computing by internal IT and finance teams.
http://www.vordel.com/solutions/cloud.html

The Cloud Service Broker analyzes traffic and provides reports as well as an audit trail. Reports include usage information in real-time, per hour, per day, and per service. Reports are based on messages and based on data. Visibility is key. This is all independent of an individual Cloud service provider. It is easy to imagine how useful this would be in conjunction with Amazon's spot pricing (see a great analysis of Amazon's spot pricing by James Urquhart here).

The lesson from the Bakersfield debacle is that customers of services, whether utilities or Cloud services, need real-time visibility of their usage, real-time visibility of costs, as well as an independent audit trail. In the Cloud world, this is provided by a Cloud Service Broker.

What is a Security Token Service and what does it do?

2009-12-30T14:08:00.000-08:00

The term Security Token Service is often bandied around, but clear examples of an STS in action tend to be lacking. Here is a video I've put together of an STS in action, including examples of the WS-Trust RequestSecurityToken / RequestSecurityTokenResponse messages.

The video shows the usage of an STS in conjunction with an XML Gateway (in fact the Vordel XML Gateway includes an STS built-in):

It also shows how SOAPbox can be used to call an STS using the RST/RSTR messages:

And we see the SAML assertions, returned from the STS, embedded into SOAP messages:

Check the video out for yourself at:
http://www.vordel.com/research/Security_Token_Service.html

Signing OAuth on the Vordel XML Gateway with Java using Signpost

2009-12-29T22:37:00.000-08:00

Today I was using Matthias Käppler's "Signpost" Java OAuth API. As the Signpost readme says:

"Signpost is the easy and intuitive solution for signing HTTP messages on the Java platform in conformance with the OAuth Core 1.0a standard."
http://github.com/kaeppler/signpost#readme

As an exercise, I ran Signpost on the Vordel XML Gateway to see it insert the OAuth Authorization header into outbound messages. Getting Signpost up and running on the Vordel XML Gateway is simple. Firstly, download the jar files for Signpost and put them into the "/ext/lib" directory to extend the Gateway using Java. Now, Signpost's OAuth signing functionality can be imported into a script on the Vordel Gateway easily using "importPackage". Because Signpost is so simple, the entire process of signing an outbound HTTP request with OAuth effectively takes just six lines of code running on the Vordel Gateway:

This is the beauty of being able to extend the Vordel XML Gateway with Java. Basically anything you can do in Java, you can do on the Gateway. Of course, you must have the rights to push the policy to the Gateway, something which is taken care of at the policy management level.

Once we run this policy, we see that the OAuth authorization headers have been added by the Signpost code running on the Vordel Gateway. The request is for the RSS feed for this blog. Here is a Wireshark trace showing the OAuth Authorization headers:

You may ask "Why run Signpost on the Vordel Gateway, why not just run it as a Java application separately?". The reason is that by running on the Vordel Gateway, it gets the advantage of all of the other included features on the Gateway, including response time analysis for the services the Gateway connects to, scanning inbound and outbound messages for threats, conversion, protocol translation, integration with IdM products such as SiteMinder and Oracle Access Manager, and the maintenance of an audit trail.

To run this yourself, grab a copy of Signpost and the Vordel XML Gateway then follow the guide to extending the Vordel Gateway using Java and scripts here: https://extranet.vordel.com/documentation2/VXG52/common/tutorials/utility_scripting.html (note: Vordel Extranet login needed to read the tutorial - contact info@vordel.com to get one)

Information Security... what?

2009-12-19T07:42:00.000-08:00

I've heard of information security policies, information security professionals, and information security conferences. But "Information Security Restrooms"?

I was working out of the Vordel Herndon offices for a few days this week, swinging back to the East Coast from California. I spotted this sign in Reston, Virginia, while walking in bitter cold past a skating rink to the Vordel Holiday Party. It certainly caused me to do a double-take:

How to create a SAML Assertion

2009-12-16T20:37:00.000-08:00

Many applications, including ESBs and Application Servers from Oracle and Sun, consume SAML assertions. Testing these applications can be a chore, since they require using a toolkit or API to create a SAML assertion. A good alternative is to use the free Vordel SOAPbox product includes the ability to create a SAML Assertion to be placed into an XML message, just using point-and-click configuration. Under the "security" menu item you can see the "Insert SAML Token" option:

You configure the SAML options graphically, no coding required:

This results in a SAML Assertion being inserted into the message, as shown below in the "Design" view of SOAPbox:

Grab your free copy of SOAPbox at: http://www.vordel.com/products/soapbox/

All Amazon EC2 accounts now enabled for Amazon Virtual Private Cloud

2009-12-14T23:20:00.000-08:00

Amazon EC2 VPC is outta beta:

http://aws.typepad.com/aws/2009/12/amazon-virtual-private-cloud-opens-up.html

What Google thinks SOA is

2009-12-10T17:35:00.000-08:00

A view into the Hive Mind - what you see when you type "SOA is" into Google:

Randy Heffner from Forrester on Policy-based SOA

2009-12-08T14:37:00.000-08:00

Randy Heffner from Forrester has posted on ZDNet about how "Policy-based SOA will enable increased business value and agility". He does a great job of explaining how a Policy-based SOA affects different users.

Firstly, there is the person designing the policy. As Randy says, the policy is defined "using the SOA product’s administration tool" (ie. not by writing code), and he goes on to say that "the important point here is that the policy is declared separately from the service, allowing it to change without changing the service itself". So, the policy is designed (as opposed to not coded) and then applied to services. This is preferable to burying policy details in with business logic, because, as Randy says, "If the policy is buried in the service implementation, the only definitive way to determine the active policy is to look at the code".

Then we are on to the person charged with enforcing the policy. They must use a product which does not slow down service execution as a side-effect of applying policy. Given that much policy-based SOA processing boils down to XML, XML Acceleration is required here.

Then, there is the person monitoring the SOA-based policies. The important point here is that the policies must map up to business-level insight. So that, for example, if a group of inventory-related services increase in use, this has implications for inventory usage. Randy Heffner puts it as:

Monitoring may include business-level insight. Besides technical operations data, SOA products can extract business data from service requests and responses, thereby enabling business-level monitoring.

So: We have design (policy design, independent from services), enforcement (with acceleration), and monitoring. I like to associate this with the Dilbert characters - Dilbert, Dogbert, and the Pointy-Headed Boss:

Finally, Randy recommends that policies do not become silos. Centralized policy management must be used (for example HP's GIF framework which Vordel supports).

Maureen O'Gara in Cloud Computing Journal - Microsoft Cloud Patent Application Not What It Seems

2009-12-07T20:18:00.002-08:00

Maureen O'Gara provides further coverage of Microsoft's Cloud Migration patent application over in Cloud Computing Journal

University of Virginia Cryptography Final Exam - How to rig the World Cup Draw

2009-12-04T09:53:00.000-08:00

Very topical today when so much of the world is focused on the World Cup draw:

David Evans from the University of Virginia discusses his Cryptography course exam question asking how the World Cup draw could be rigged.

More on Microsoft's "Migrating Data To New Cloud" patent application

2009-12-02T19:45:00.000-08:00

More commentary on Microsoft's "Migrating Data to New Cloud" patent application:

- Loraine Lawson in IT Business Edge

- Gavin Clarke in The Register

And, of course, the patent application itself:

Cloud Computing in Practice

2009-12-01T12:47:00.000-08:00

James Urquhart has assembled a very impressive list of examples of Cloud Computing in practice.

Examples include:

Number of applications running on Force.com: 135,000
Number of applications hosted by Ruby on Rails platform service vendor Heroku: 40,000+
Objects stored in Amazon Web Services S3: 64 billion (as of August 2009)

Full details at: http://news.cnet.com/8301-19413_3-10405895-240.html

Microsoft's Cloud Migration Patent Application

2009-11-30T20:06:00.000-08:00

Today in InformationWeek, Alexander Wolfe speculates about Microsoft's patent application regarding data migration between cloud services. Although on the face of it, a patent for Cloud migration would appear to be aimed at removing the lock-in associated with a single vendor, the patent application is in fact aimed within a single vendor system. So, it doesn't address the Cloud lock-in problem which has been identified by ENISA as the #1 risk of cloud computing. Lock-in to a single vendor can be addressed using a Cloud Service Broker solution which mitigates against the use of a single Cloud service by brokering the connection up to the Cloud service, allowing a switch-over at the interface level to a back-up Cloud service in the event of service failure.

How clouds are made

2009-11-29T16:57:00.000-08:00

How are Clouds made? By leasing an anonymous-looking building, buying commodity servers by the mile, then engaging an infrastructure guy like Randy Bias to put it together? No - I meant real clouds.

So on the day after Thanksgiving, I brought my son to the Liberty Science Center in Liberty City, New Jersey, just across the Hudson from Manhattan. It's a great place - we agreed afterwards that it's right up there with San Francisco's Exploratorium. Boston Museum of Science membership got us in for free.

One of the features of the Liberty Science Center is its open spaces. It just doesn't feel as crowded as other museums. And, in the open spaces, they run Live Science events. One of the live science events, called "Sub Zero", focuses on the different states of matter. The instructors explained how matter can exist in a number of different states (including "Pennsylvania", as one kid answered :-) ).

At the finale, we saw how a cloud can be created by pouring water onto liquid nitrogen:

Hope everyone had a good Thanksgiving weekend, whether or not it was a holiday weekend in your part of the world.

Using Token Translation and SAML to link domains together

2009-11-24T20:21:00.000-08:00

Token translation using SAML is now quite an established way to allow applications in one security domain to communicate with applications in another security domain, on behalf of a user whole identity does not have to also flow with the data. For more info go to Vordel's government page and then click on "Secure Cross-Domain".

Can a similar architecture be used for SOA-to-Cloud and "inter-cloud" scenarios? The answer is "yes - watch this space...."

Command-Line tool for testing Web Services

2009-11-23T19:18:00.000-08:00

The free SOAPbox tool includes a command-line interface, called SR ("Send Request") which allows you to script the load-testing of a Web Service. You can use SR to send multiple requests to a Web Service, to simulate multiple clients, to connect through a HTTP Proxy, to send SOAP attachments to Web Services, and to vary XML message traffic. To learn about SOAPbox, press F1 on SOAPbox's install page and then check out the SR examples, or run SR -h from the command line.

Get SOAPbox (including SR) from http://www.vordel.com/products/soapbox/

ENISA Cloud Computing Risk Assessment - Three initial thoughts

2009-11-20T11:18:00.000-08:00

The ENISA (European Network and Information Security Agency) today released the Cloud Computing Risk Assessment document.

The document does well by including a focus on SME's (Small and Medium sized Enterprises) because, as the report says, "Given the reduced cost and flexibility it brings, a migration to cloud computing is compelling for many SMEs".

Three initial standout items for me are:

1. The document's stated Risk Number One is Lock-In. "This makes it extremely difficult for a customer to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Furthermore, cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data."

Remember that the document identified SMEs as a major market for cloud computing. What can they do about the lock-in? Let's see what the document says:

The document identifies SaaS lock-in:

Customer data is typically stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. However, if the provider does not offer a readymade data ‘export’ routine, the customer will need to develop a program to extract their data and write it to file ready for import to another provider. It should be noted that there are few formal agreements on the structure of business records (e.g., a customer record at one SaaS provider may have different fields than at another provider), although there are common underlying file formats for the export and import of data, e.g., XML. The new provider can normally help with this work at a negotiated cost. However, if the data is to be brought back in-house, the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. As customers will evaluate this aspect before making important migration decisions, it is in the long-term business interest of CPs to make data portability as easy, complete and cost-effective as possible.

And what about PaaS Lock-In?:

PaaS lock-in occurs at both the API layer (ie, platform specific API calls) and at the component level. For example, the PaaS provider may offer a highly efficient back-end data store. Not only must the customer develop code using the custom APIs offered by the provider, but they must also code data access routines in a way that is compatible with the back-end data store. This code will not necessarily be portable across PaaS providers, even if a seemingly compatible API is offered, as the data access model may be different (e.g., relational v hashing).

In each case, the ENISA document says that the customer must develop code to get around the lock-in, in order to bridge APIs and to bridge data formats. However, SME's generally do not have developers on staff to write this code. "Writing code" is not usually an option for an SME. I know - I worked for an EDI service provider who serviced SMEs in Europe - we would provide the code development services for the SMEs when they needed data transformation done at the client side.

But there is another answer. This bridging is the job of a Cloud Service Broker. The Cloud Service Broker addresses the cloud lock-in problem head-on by bridging APIs and bridging data formats (which, as the ENISA document mentions, are often XML). It is unreasonable to expect an SME to write custom code to bridge together cloud APIs when an off-the-shelf Cloud Service Broker can do the job for them with no coding involved, while providing value-added services such as monitoring the cloud provider's availability, encrypting data before it goes up to the cloud provider, and scanning data for privacy leaks. Read the Cloud Service Broker White Paper here.

2. "Customers should not be tempted to use custom implementations of authentication, authorisation and accounting (AAA) as these can become weak if not properly implemented."

Yes! Totally agree. There is already a tendency to look at Amazon's HMAC-signature-over-QueryString authentication scheme and implement a similar scheme which is similar but not exactly like it. For example, an organization may decide "Let's do like Amazon do and make sure all incoming REST requests to our PaaS service are signed by a trusted client using HMAC authentication", but omit to include any timestamp in the signed data. I can certainly imagine this, because this would happen all the time in the SOA / Web Services world (an organization would decide "Let's make sure requests are signed using XML Signature by trusted clients", but leave the system open to a simple capture-replay attack). Cloud PaaS providers should not make these same mistakes.

3. STRIDE and DREAD
Lastly, the document's approach of examining the system in terms of data-at-rest and data-in-motion, identifying risks at each point (such as information disclosure, eavesdropping, or Denial-of-Service), then applying a probability and impact to the risks, is very reminiscent of the "STRIDE and DREAD" model. However I do not see the STRIDE and DREAD model mentioned anywhere in the document. I know it's a bit long in the tooth now, and finessed a bit since the initial book, but it's still a good approach. It would have been worth mentioning here, since it's clearly an inspiration.

XML Performance Offload

2009-11-19T22:35:00.000-08:00

The area of XML Performance Offload bridges not only applications in a SOA architecture, but also the use of Cloud-based PaaS services which often are invoked using XML (e.g. SalesForce.com's WSDL interface) or are invoked using REST-style interfaces which return XML.

Vordel's XML Performance Offload paper is here:
http://www.vordel.com/scripts/downloadA.pl?downloadfile=XML_Performance_Offload.pdf

Cloud Computing is ...

2009-11-18T08:33:00.000-08:00

Techcrunch reports that Google has some implicit suggestions about newspapers, based on the drop-down suggestions it gives when you begin a search with "Newspapers are" . It's a nice example of the hive mind at work.

But check out the first suggestion Google gives you if you type "Cloud Computing is" into a Google search bar. I won't spoil the surprise here.

Interestingly, Google used to give similar suggestions for "SOA is", but the results are now a lot less frank and confrontational than they were a month ago. Does this show a change in general attitude about SOA, or is it just that Google cleaned up the results? hmm.

XML Bus Feeds and Visualizations

2009-11-17T19:14:00.000-08:00

You've heard of XML feeds being consumed into a Service Bus - now here's a consumable Bus Service XML feed. The Boston-area MBTA provides a real-time Web Service feed. For example, this request returns an XML document containing details of current locations of the 39 bus which runs from Jamaica Plain to Boston's Back Bay:

http://webservices.nextbus.com/service/publicXMLFeed?command=vehicleLocations&a=mbta&r=39&t=0

As befits a transport organization in a catchment area which includes MIT, the MBTA has a pretty impressive developers site. And, for anybody keeping score, Boston got there ahead of New York (whose MTA now also provides data feeds).

The MBTA data also has generated some impressive visualizations - check out A Day in the Life of the MBTA.

Maureen O'Gara at Cloud Computing Journal on the Vordel Cloud Service Broker

2009-11-16T05:39:00.000-08:00

Maureen O'Gara presents a sneak peak of the Vordel Cloud Service Broker private beta over at Cloud Computing Journal

Contact Vordel at info@vordel.com if you'd like an invitation to the beta....

MWD: Application and platform security top the list of Cloud development management concerns

2009-11-12T20:49:00.000-08:00

The analysts MWD have recently issued the results of their Cloud take-up survey

Headlines are:

54% of respondents highlighted that their organisations are already investing in Cloud Computing, or are planning to planning to invest at some point in the coming year.
61% of those with current investments are investing to support IT development and testing work.
Application and platform security top the list of development management concerns
Despite market immaturity, 22% of those with current investments already report receiving ROI.
Proven ability to scale and support for standards are top supplier selection concerns.

More details at:
http://www.mwdadvisors.com/blog/2009/11/new-mwd-advisory-service-launches-with-global-survey-of-it-architects-on-cloud-computing.html

Government Computing News: Vordel brokers cloud services

2009-11-11T11:26:00.000-08:00

This Government Computing News article, written by Trudy Walsh, covers Vordel's Cloud Service Broker launch:

http://gcn.com/articles/2009/11/10/vordel-debuts-cloud-service-broker.aspx

Vordel Cloud Service Broker White Paper now available

2009-11-10T16:33:00.000-08:00

If you want to read more detail beyond the Vordel Cloud Service Broker announcement, then this White Paper is the place to start. It is available at the URL below:

http://www.vordel.com/scripts/downloadA.pl?downloadfile=VordelCloudServiceBroker.pdf

Jeff Burt from eWeek covers the Vordel Cloud Service Broker announcement

2009-11-09T04:53:00.000-08:00

Jeff Burt has posted an article on eWeek covering the Vordel Cloud Service Broker announcement last week at the vordelworld conference:

The tool—which can be bought in an appliance, as software or as a virtualized service in the cloud—essentially is an “on-ramp to the cloud,” [Vordel CEO Vic Morris] said.

The product, which will be available in the first quarter 2010, registers services from all domains into a single repository, enabling businesses to more easily monitor and manage them, and apply policies to them.

The Vordel Service Broker not only offers the Multi-Domain Registry Repository, but also analytics capabilities that gives businesses an audit trail on the cloud services they use. In addition, the product includes content analysis capabilities to guard against data loss, caching to reduce cloud costs by servicing some requests itself, traffic throttling, event alerts and SLA monitoring.

Developers also will be able to use the Cloud Service Broker to link local applications with cloud-hosted apps.

http://www.eweek.com/c/a/Cloud-Computing/Vordel-Offers-On-Ramp-to-the-Cloud-808435/