From the Blogosphere

What Google Thinks SOA is

Fri, 11 Dec 2009 11:45:00 EST

A view into the Hive Mind - what you see when you type "SOA is" into Google:

read more

Seeking Mainframe Alternatives For Agility and Profit

Wed, 09 Dec 2009 14:45:00 EST

Many IT architects are discovering that technical and economic incentives are mounting for exploiting alternatives to mainframe computing applications and systems. As enterprises seek to cut their total IT costs, they examine alternatives to hard-to-change and -manage legacy systems. There are a growing number of technical and economic incentives for modernizing and transforming applications -- and the data center infrastructure that support them. Here with us now to examine alternatives to mainframe computing, is John Pickett, Worldwide Mainframe Modernization Program manager at HP; Les Wilson, America's Mainframe Modernization director at HP, and Paul Evans, worldwide marketing lead on Applications Transformation at HP. The panel is moderated by BriefingsDirect's Dana Gardner, principal analyst at Interarbor Solutions.

Randy Heffner from Forrester on Policy-based SOA

Wed, 09 Dec 2009 11:00:00 EST

Firstly, there is the person designing the policy. As Randy says, the policy is defined "using the SOA product’s administration tool" (ie. not by writing code), and he goes on to say that "the important point here is that the policy is declared separately from the service, allowing it to change without changing the service itself". So, the policy is designed (as opposed to not coded) and then applied to services. This is preferable to burying policy details in with business logic, because, as Randy says, "If the policy is buried in the service implementation, the only definitive way to determine the active policy is to look at the code". Then we are on to the person charged with enforcing the policy. They must use a product which does not slow down service execution as a side-effect of applying policy. Given that much policy-based SOA processing boils down to XML, XML Acceleration is required here.

Technology Adoption & the Age Myth

Wed, 09 Dec 2009 10:00:00 EST

As I evangelize around the upcoming surge in innovation driven by technology and globalism one topic that is often raised is the issue of how older people are unable or unwilling to adapt to the change brought on by technologies. Hence, the rapid states of change I predict are unlikely because of this "age" phenomenon.

What’s in a Namespace

Mon, 07 Dec 2009 10:00:00 EST

Although XML has been around for quite some time many developers still don't know too much about it. Not needing to know too much about it is one of XML's strengths, but cursory knowledge is rapidly becoming mandatory for all developers. This post will discuss some of the details of namespaces in XML.

In XML a namespace is just that, a space (or area) identified by a name. When we look at a namespace such as http://novaenterprisesystems.com/schemas/purchaseorder we are not actually identifying a location on the web. Granted it does look like a URL and your browser will probably make you want to click it (don't bother, at least for now it doesn't actually go anywhere). In an XML document this simply means in a namespace that certain nodes of the document exist in this namespace. That is they are identified by their Element / Attribute name and this namespace. Here is an example:

In this case this means that the PurchaseOrder element is identified using the specific namespace http://novaenterprisesystems.com/schemas/purchaseorder. I could have just as easily (and legally) made the name space "bob". Although bob would be a legal namespace, it doesn't do much to describe what this schema represents. All this really means is that the PurchaseOrder element has an identity in the definition space of this schema. I could import another schema that defines a different PurchaseOrder element in another schema with no ill-effect (it would clearly need another namespace in order to be unique).

Namespaces ultimately should convey information about the service or document in question. The generally accepted pattern for naming schemas is as follows:

http://[company]/[role]/[businessarea]/[date or version]

Where Company is obviously the entity exposing this schema, Role is either schema (for message types) or interface (for operations such as web services), business area would be the vertical or horizontal segment of the service or document Company is providing (such as purchasing or billing). Date / version should be self-explanatory, but is most often the year and month the schema is effective (more on that in another post). A better example would be: http://novaenterprisesystems.com/schemas/purchasing/2009-11.

You may be asking yourself 'so why all the fuss'? The two main issues are legality in XML (more of a technical concern) and much more importantly readability by consumers. A namespace should clearly express the intent of a schema to which it is attached. If this is for a business document or file that should be clear (as well as what business document this represents). The definition difference between schema (message) and interface (operation) should clear confusion about what the document really means. You wouldn't want the consumers of your services to tightly couple the purchase order document to the operation of submitting a purchase order.

A last note I'd like to stress is that although the domain name http://novaenterprisesystems.com appears in this schema and message, the domain will receive no traffic as a result. Again that name is just an identifier, very similar to a namespace in .NET such as System.Data. Only when an import or include location points to a URL will network traffic occur.

HP Buys One of the Seven Networking Dwarves and Gets a Bargain

Fri, 04 Dec 2009 17:45:00 EST

Last week EMC and Cisco announced their VCE collation and Acadia. The other day, HP continued its early holiday shopping by plucking down $2.7B USD and bought 3COM, one of the networking seven dwarfs (e.g. when compared to networking giant Cisco). Some of the other so called networking dwarfs when compared to Cisco include Brocade, Ciena and Juniper among others.

Cloud Is the Gift That Keeps on Giving

Fri, 04 Dec 2009 15:45:00 EST

Brenda Michelson, Principal of Elemental Links, writes "elemental cloud computing" recently tweeted: "100k buys way more public, than private, cloud computing power" which started a short but inspiring conversation on the subject centering around the observation that "cloud is the gift that keeps on giving." That's alluding to the fact that the compute power purchased in "the cloud" is an annual expense, unlike private, cloud computing power which requires renewal at longer intervals, usually in the 3-5 year range. Still, Brenda is right at least in the short term. $100,000 purchases a lot more compute power in a public cloud computing environment than it will/would/does in a private cloud computing environment. The problem is that $100,000 in a private cloud computing environment is likely to provide more business value than would a comparable investment in a public cloud computing environment. And that's really the metric we should be using instead of CAPEX versus OPEX.

Oracle Faces Growing Price for MySQL

Thu, 03 Dec 2009 16:00:00 EST

The irony is that Oracle has advanced MySQL, lost money in the process, and helped its competitors - all at the same time. When Oracle buys Sun and controls MySQL the gift (other than to Microsoft SQL Server) keeps on giving as the existential threat to RDBs is managed by Redwood Shores. Oracle has uncharacteristically found itself maneuvered (by its own actions).

New OpenSolaris VPC Gateway Tool

Thu, 03 Dec 2009 13:45:00 EST

Even more interesting would be if I could create and access a VPC from OpenSolaris running inside of VirtualBox on my MacBook Pro! That way, I could have an on-demand virtual data center in the Cloud that I could access from anywhere! It was from this concept, that I reached out to Dan McDonald and Dileep Kumar. Forming this virtual team, we applied our respective skills to this challenge. As things started to heat up, we pulled in Sebastien Roy and Sowmini Varadhan who provided invaluable support and architectural guidance without which we would still be in troubleshooting hell. (Thank you guys!) So, where do things stand? (Drum roll, please!)

Grokking the Goodness of MapReduce and SPDY

Wed, 02 Dec 2009 12:00:00 EST

Certainly no one would seriously argue that web applications are fast enough for everyone. SPDY is one suggested solution, but what if we combine MapReduce and SPDY? Could we develop an architectural solution that leverages the best of SPDY without requiring entire infrastructure changes to support a new protocol?

More than a couple of people have mentioned Map/Reduce as a means to achieve workload-level distribution of applications in a cloud computing environment. I hadn’t looked into Map/Reduce but finally decided that if that many very smart people were thinking it was a solution, I should look into it. After reading through a few tutorials and articles on the subject, including a much referenced lecture from a UW Madison (yeah! Badgers!) professor, I began to wonder how well we could combined MapReduce with SPDY as a means to improve application delivery. [The referenced ‘illustrated’ PDF from the lecture is hard to find. You can access it here. ]

From Google’s paper on Map/Reduce:

MapReduce is a programming model and an associated implementation for processing and generating large datasets that is amenable to a broad variety of real-world tasks. Users specify the computation in terms of a map and a reduce function, and the underlying runtime system automatically parallelizes the computation across large-scale clusters of machines, handles machine failures, and schedules inter-machine communication to make efficient use of the network and disks.

Programmers find the system easy to use: more than ten thousand distinct MapReduce programs have been implemented internally at Google over the past four years, and an average of one hundred thousand MapReduce jobs are executed on Google’s clusters every day, processing a total of more than twenty petabytes of data per day.

It isn’t just the protocol (SPDY) that’s apposite to application performance and more specifically, web application performance. After looking through Map/Reduce, it would certainly appear that the combination of the “programmatic model” and SPDY would definitely provide the kind of scale and processing speed necessary to achieve a “speedier web.”

THE WAY IT WORKS TODAY

When we want to scale a web application today we need to build out an architecture that load balances requests across a pool of servers. Clients are limited in the number of connections that can be opened to any given host, but that number is now in the 6-8 range for modern browsers. The connections are synchronous, meaning that once a request is sent a reply must be received before the next request can be sent.

Each object in a page can be mapped to a request and thus the browser’s task is to distribute object requests across its available connections and then to aggregate the responses into a document that can be rendered for the user’s viewing pleasure.

In much the same way, the load balancer also distributes the requests across its pool of available resources: the application instances. The Load balancer is capable of handling much high volumes of connections, of course, and it can intelligently distribute requests based on a variety of parameters. An advanced load balancer (application delivery controller) can distribute requests based on the URI, values in HTTP headers, and on data in the actual request (payload). But it is still bound to the same synchronous request/reply pattern as the browser. In order to achieve high scalability and fast performance, the load balancer optimizes connections and uses as much information as possible when distributing requests. The latter is often a matter of configuration: even though the load balancer can use a wide variety of environmental factors upon which to base its load balancing decision it must be configured to do so and many an administrator/architect ignores these capabilities.

The result is still synchronous, with potentially multiple connections per client being utilized to return as many objects in parallel as possible. Both the browser and the load balancer are essentially parallelizing requests and responses.

WHAT IF WE COMBINE MAP/REDUCE and SPDY?

The biggest difference to note immediately is the lack of synchronous communication. SPDY is asynchronous, and thus the browser need not parallelize the requests. Using SPDY the browser could, as it was parsing the main page, simply send a request for each object it encounters back to the origin server.

Remember that SPDY allows for only one connection per browser, so all requests for component objects in a web page would need to be sent over that single connection. Aside from the synchronicity, this is not much different than would be the case is browsers were programmatically limited to a single connection per host.

Right now it appears the usage of SPDY is simulating traditional behavior; that is, the browser is still responsible for parsing out the “main page” and initiating individual requests for each component, albeit in the case of SPDY over the same connection.

If you have the capabilities afforded by Map/Reduce on the web/application server (or intermediary of some kind), could we not take advantage of that? Using Map/Reduce it certainly appears (and I may be completely off-base, but someone, I’m sure, will correct me if that’s the case) you could push the parsing (disaggregation) of the “main page” to the server/intermediary and let it “map” and “reduce” (aggregate) its component objects into a single, completed page that can then be returned to the client over that single connection. The “map” function is used to apply the same function to a large set of inputs, and all we’re doing is saying the function is “load/generate this page”, after all. The application of compression and security policies can be applied either at the component or complete page comprising all HTML required. The rest of the infrastructure need only act on a single, completed page in which all pertinent data exists, greatly simplifying processing.

It would have to be selective in that only some included content needs to be “reduced” into the main page. Some objects – navigational links, for example – can’t be included because, well, it would break the entire web. But there is a subset of objects that could be included that might result in improved performance overall. This is where SPDY (or at least its core functionality as applied to HTTP) comes into the picture, as its asynchronous nature would improve the delivery of objects that can’t be included in the core HTML for whatever reason. Distinguishing between the two could be as simple as an attribute on an anchor element such as “aggregate=true” with a default of false, just to try to maintain backward compatibility.

This would remove the need for the browser to parse the original page and subsequently issue requests, eliminating the round trip time for each object from the overall response time. While the resulting page is larger because it contains the complete HTML necessary, the browser can more effectively employ progressive rendering techniques on the complete page as soon as data begins returning.

The draft SPDY protocol, by allowing asynchronous requests, eliminates approximately half the round trip times by not requiring immediate responses, but by leveraging Map/Reduce capable systems on the server/intermediary side we can eliminate more ( #objects * RTT to be exact). We also completely eliminate the negative impact on the network (and thus application performance) from dealing with many small packets generated from many small objects.

The RTT between the server/intermediary and internal application servers is still applicable, but because this is almost always over high-speed, low-latency LAN connections (and we’re paying that price regardless) the impact on overall performance remains minimal.

AREN’T YOU ARGUING AGAINST APPLICATION DELIVERY CONTROLLERS?

If you think of application delivery controllers as nothing more than load balancers then it certainly might appear that way, wouldn’t it? But load balancing, while an integral component to an application delivery controller, is not the be-all and end-all of its capabilities or its only role in high-availability architectures. Optimization and acceleration still applies, as does security and its myriad related functions. So, too, does ability to transform requests on-demand, both ingress and egress. Context is still as important, if not more so in an architecture such as the one described, and given an application delivery controller generally sits in what is a strategic point of control in a data center architecture- traditional, virtualized, or cloud computing – it is still the best place to provide most application delivery functionality.

So no, I’m not shooting myself in the foot by postulating on a web-application architecture using SPDY and Map/Reduce (or some similar mechanism that has yet to be designed) as a core means to achieve fast and highly-scalable web applications. The use of SPDY and Map/Reduce would only speed up the internal processing and reduce the latency associated with the traditional request/reply paradigm. It does not address high-latency links, congestion, conditional network problems, or security-related issues. It doesn’t solve the problem of regulating request rates nor prioritization nor business-layer load balancing. And there are many BHQ (Big Hairy Questions) involving such a solution that would need answers before it could be useful, such as the handling of off-domain requests and credential mapping for integrated widgets/gadgets/sites.

Besides, it is somewhat interesting to note that much of the functionality described by Map/Reduce, when applied strictly to URI-based workloads (think REST and even SOA) already exists in application delivery controllers. It isn’t, after all, just about load-balancing, it’s about intelligent routing of requests based on context, like the URI. The single-session concept is something already demanded by service-providers (RADIUS, DIAMETER, SIP) and some application delivery controllers can handle this type of message-based load balancing [PDF] scenario, so all that’s left is the aggregation of the disparate components into a single page for delivery. So it’s possible that the definition of such an architecture combined with the protocol could be natively supported by application delivery controllers with relative ease. What’s necessary is to break out of the connection-oriented processing paradigm inherent in load balancing and proxies and HTTP, and in some cases we’re half-way there already.

It is definitely interesting to contemplate a new architectural solution to the problems associated with HTTP and performance. Map/Reduce is also certainly one answer to moving cloud computing out of its current instantiation toward truly on-demand resource utilization on a per-workload basis. It’s an interesting concept and one that obviously works well for Google, given the number of applications in its repertoire that apparently take advantage of the model. Thus it (or similar concepts) is certainly something to consider for potentially broader usage outside of Google’s infrastructure.

I don’t think anyone would argue that the web is “speedy” enough as it is, so exploring new concepts is something we need to do. We may find a thousand ways not to do it – and this may be one of those ‘not’ ways – but eventually someone will find a way.

Related blogs & articles:

Technorati Tags: MacVittie,F5,load balancing,SPDY,Google,MapReduce,parallelization,MBLB,message-based load balancing,architecture,infrastructure,application delivery,optimization,acceleration,security

Smartphone Market Trends and Analysis

Wed, 02 Dec 2009 11:15:00 EST

Wall Street Journal reported in Monday's Edition (November 30, 2009) that Dell, Acer, Asustek Computer and HP have all launched handsets to diversify their product offerings. What is my analysis? Lenovo sold their handset unit in 2008. Less than 2 years later they buy it back as they believe it represents a key growth area, and they buy it back just as the other large PC makers are launching their own new mobile handsets (smartphones) products to attack the growing mobile Internet market. This signals that PC manufacturers see smartphones as both a competitor to PCs and the future of mobile computing.

FCC Moving on “White Spaces” to Make More Spectrum Usable

Wed, 02 Dec 2009 09:39:00 EST

Harold Feld has a great post on movement at the FCC to make more spectrum available. According to Harold, the FCC has requested proposals for databases to manage access to the "white spaces" between the frequencies assigned to TV stations. Those frequencies were left unused because analog TV originally needed ...

SQL Server 2008 R2 Nov CTP Installs Easily on Windows 7

Fri, 27 Nov 2009 10:45:00 EST

I had problems installing on Windows XP SP3 but it was very easy on Windows 7 Ultimate Evaluation copy (build 7100). If you have Visual Studio 2008 you may need to apply SP1 before you complete installation on Windows 7. I installed a named instance Hodentek\KUMORI (ver 10.50.1352) which is a minor upgrade to SQL Server 2008 RTM. If you want to work with a database in the cloud (SQL Azure) you need SQL Server 2008 R2 Nov-CTP.

Cloud Computing Service: Amazon EC2 vs Google GAE

Thu, 26 Nov 2009 11:30:00 EST

Though different cloud service providers are following different strategies, these are the two uniquely different approaches. Others either are similar to one of these or fall somewhere in between. I have excluded SaaS from this discussion - you can see the comparison between IaaS, PaaS and SaaS on this post on Cloud Strategy.

Crossroads in FOSS Projects: Some Business Considerations

Wed, 25 Nov 2009 14:45:00 EST

At our Seminar last month, Managing FOSS to Lower Costs and Achieve Business Results, several participants asked about the dynamics of FOSS (Free and Open Source Software) projects that reach a crossroads (a failure, a merger, loss of key personnel, etc). I had not expected that concern because with commercial software, it seems to [...]

Mobile Applications and Mobile Data Services

Wed, 25 Nov 2009 12:15:00 EST

I am currently researching and writing a report on mobile enterprise applications and their impact on mobile data services for an analyst firm. I wanted to share some insights that I have gained through this exercise.

Socialnomics & Ownership

Wed, 25 Nov 2009 12:00:00 EST

I had an interesting exchange with a very reputable business associate yesterday, during which the topic of "ownership" came up as central to his business objectives. We all understand the notion, dedicate yourself to a company, build it up for years and then perhaps sell it for a premium value as you sail away into the sunset. As I woke this morning having thought about the prior days chat, another friend, Rasmus Elmann Ingerslev, had recommended a video on socialnomics that I watched, shown below. I am uncertain if most really understand what socialnomics signifies, as I've concluded its only the beginning of a far larger trend with greater implications beyond those of my facebook account. Similarly I am unclear if most business owners understand what the value of something really is and how these trends will impact it. Hence this post.

Using Token Translation and SAML to Link Domains Together

Wed, 25 Nov 2009 10:30:00 EST

Token translation using SAML is now quite an established way to allow applications in one security domain to communicate with applications in another security domain, on behalf of a user whole identity does not have to also flow with the data. For more

WILS: Client IP or Not Client IP, SNAT Is the Question

Wed, 25 Nov 2009 10:15:00 EST

Ever wonder why requests coming through proxy-based solutions, particularly load balancers, end up with an IP address other than the real client? It’s not just a network administrator having fun at your expense. SNAT is the question – and the answer.

SNAT is the common abbreviation for Secure NAT, so-called because the configured address will not accept inbound connections and is, therefore, supposed to be secure. It is also sometimes (more accurately in the opinion of many) referred to as Source NAT, however, because it acts on source IP address instead of the destination IP address as is the case for NAT usage.

In load balancing scenarios SNAT is used to change the source IP of incoming requests to that of the Load balancer. Now you’re probably thinking this is the reason we end up having to jump through hoops like X-FORWARDED-FOR to get the real client IP address and you’d be right. But the use of SNAT for this purpose isn’t intentionally malevolent. Really. In most cases it’s used to force the return path for responses through the load balancer, which is important when network routing from the server (virtual or physical) to the client would bypass the load balancer. This is often true because servers need a way to access the Internet for various reasons including automated updates and when the application hosted on the server needs to call out to a third-party application, such as integrating with a Web 2.0 site via an API call. In these situations it is desirable for the server to bypass the load balancer because the traffic is initiated by the server, and is not usually being managed by the load balancer.

In the case of a request coming from a client the response needs to return through the load balancer because incoming requests are usually destination NAT’d in most load balancing configurations, so the traffic has to traverse the same path, in reverse, in order to undo that translation and ensure the response is delivered to the client.

Most land balancing solutions offer the ability to specify, on a per-IP address basis, the SNAT mappings as well as providing an “auto map” feature which uses the IP addresses assigned to load balancer (often called “self-ip” addresses) to perform the SNAT mappings. Advanced load balancers have additional methods of assigning SNAT mappings including assigning a “pool” of addresses to a virtual (network) server to be used automatically as well as intelligent SNAT capabilities that allow the use of network-side scripting to manipulate on a case-by-case basis the SNAT mappings. Most configurations can comfortably use the auto map feature to manage SNAT, by far the least complex of the available configurations.

WILS: Write It Like Seth. Seth Godin always gets his point across with brevity and wit. WILS is an ATTEMPT TO BE concise about application delivery TOPICS AND just get straight to the point. NO DILLY DALLYING AROUND.

Related blogs & articles:

Technorati Tags: MacVittie,F5,application delivery,load balancing,SNAT,NAT,load balancer,X-FORWARDED-FOR,IP,routing,WILS

Command-Line Tool for Testing Web Services

Mon, 23 Nov 2009 22:18:00 EST

The free SOAPbox tool includes a command-line interface, called SR ("Send Request") which allows you to script the load-testing of a Web Service. You can use SR to send multiple requests to a Web Service, to simulate multiple clients, to connect through a HTTP Proxy, to send SOAP attachments to Web Services, and to vary XML message traffic. To learn about SOAPbox, press F1 on SOAPbox's install page and then check out the SR examples, or run SR -h from the command line.

WARNING: Security Device Enclosed

Thu, 19 Nov 2009 16:00:00 EST

How many times have you seen an employee wave on by a customer when the “security device enclosed” in some item – be it DVD, CD, or clothing – sets off the alarm at the doors? Just a few weeks ago I heard one young lady explain the alarm away with “it must have be the CD I bought at the last place I was at…” This apparently satisfied the young man at the doors who nodded and turned back to whatever he’d been doing.

WaveMaker 6.0 SaaS-enables Web Apps in Minutes

Thu, 19 Nov 2009 13:00:00 EST

Until today, web developers creating SaaS apps have been faced with an ugly choice: use proprietary development platforms like Force.com or build an open solution from scratch. WaveMaker released the first open cloud development platform. WaveMaker 6.0 is a visual development platform that runs in a browser. WaveMaker makes it ridiculously easy for anyone to prototype, develop and customize great looking web applications.

Social Media Marketing for Telcos

Thu, 19 Nov 2009 10:45:00 EST

This is the first of multiple-part series of interviews with David where we’ll look into buyer personnas, marketing tools-to-use and ask the question of whether social media is simply a fad.

Virtual Computing Environment (VCE) for Service Providers

Thu, 19 Nov 2009 10:45:00 EST

You might have already seen the announcement regarding the Virtual Computing Environment (VCE). We believe this is wonderful news for our customers and partners; and represents an unprecedented collaboration between three highly regarded leaders in the IT industry: Cisco, EMC with VMware. This coalition was created to increase customers’ business agility – specifically, through greater enterprise IT infrastructure flexibility, and lower IT, energy and real estate costs through pervasive data center virtualization and a transition to private cloud infrastructures.

Amazon Adding Active Directory Support

Thu, 19 Nov 2009 10:45:00 EST

I was surprised to find an Amazon Web Services booth at the Microsoft PDC yesterday. They had nothing specific to say regarding additional Windows support or capabilities - at least not officially. What I did get was a wink-wink, nudge, nudge when I commented on Azure's integration with Active Directory and other touchpoints. "This is coming soon," I was then told. Then they saw that I had a media badge and that ended the discussion... Looks like the enterprise is the battleground - which was only a matter of time. Following the great enterprise roadmap preview I saw last week at the RightScale user meeting in Santa Clara, this is quickly becoming a great market for business computing.

Marketing Exec Bruce Johnston Says Social Media Will Revive Mutual Fund Sales

Wed, 18 Nov 2009 13:00:00 EST

Last year, as imploding credit markets roiled the economy, mutual fund organizations throughout the country took stock of their revenue prospects. It was clear that a change or two was in the wind at Denver’s Old Mutual Investment Partners, too. For Chief Executive Officer, D. Bruce Johnston, one more change was clear: He wanted to do something different.

Only 9 More Days to Provide FINRA Your Thoughts on Social Media Policy

Wed, 18 Nov 2009 13:00:00 EST

As reported in DBJ Associates, “The cost of not communicating to advisors and clients through their preferred vehicles (social media) does not make a lot of long-term business sense.” It may be difficult for FINRA to address the social media question since a search of “social media” in both Regulatory Notice 09-55, the comment notice, and the text of the proposed new rule does not turn up a single reference to social media.

Internet Marketing Essentials: 4-Part Series

Wed, 18 Nov 2009 13:00:00 EST

Many B2B companies know that they should be incorporating an ongoing social media campaign into their arsenal of tactics to generate leads and sales. But, as a business owner or marketing professional, half the battle is trying to get your head around the social media wave, the crushing amount of information about it, where to even begin, and how to make it all fit into your marketing plans. The great news is that being successful at Internet marketing does not need to be as complicated as others may sometimes make it out to be. It will, however, require some start-up time and dedication to get a solid working plan in place. Here's the thing. The key to effective and profitable Internet and online marketing requires an integrated approach, utilizing the right tools and applying them with consistent effort.

Business Blogging: the Value of Adding a Blog to Your B2B Mix

Wed, 18 Nov 2009 13:00:00 EST

Of course it is now a prerequisite to have a professional web presence for your business. More than likely, you spend time and treasure on this critical resource. But what about a blog? Blogging may just seem like a fad for techies (www.Gizmodo.com) or people that seem to have plenty of time on their hands, or people who have plenty to say, like researchers (www.researchbuzz.org). By now, having a companion blog site has become part of a comprehensive marketing program for many. Blogging, and other forms of social media, has become a de facto means of engagement for B2B companies. It's simply essential. Just as you would view in-person networking events as necessary to engaging with customers and partners, your blog site should be this as well. And while it may seem that a blog will cost you additional time (and that treasure), there are resources available to streamline blog publishing. More than this, your blog site can be well-positioned to feed visitors to your existing company web presence.

Desperately Seeking SOA Business Cases

Wed, 18 Nov 2009 11:00:00 EST

Or, to rephrase that famous Kennedy quote, "ask not what SOA can do for you, but ask what you can do to improve your business!" This is a really important question because I believe that the person seeking this information is not alone in attempting to identify real value of investing in Service Oriented Architecture (SOA). The problem is that a properly done SOA should be unique to the mission, goals and processes of the organization making it of limited relative use to another organization. That is, SOA offers a framework for identifying, isolating, delivering and servicing a consumer need, and, while all businesses have some common aspects, the resulting business services should be unique to the needs of that business' consumers.

Data as a Service Could Drastically Impact Success of SQL Injection Attacks

Tue, 17 Nov 2009 00:00:00 EST

The question is whether that impact is positive (a reduction) or negative (an increase).

One of the biggest threats to data integrity is the introduction of malicious content via SQLi (SQL Injection) attacks. Traditional database access methods don’t provide a lot in the way of validating requests and like HTML the vagaries of SQL allow for myriad ways in which a statement can be constructed – and thus exploited.

These vagaries, of course, are one factor in the reason why SQLi continues to plague applications and sites driven by user generated content. Another factor is certainly the number of touch points in application code where attacks might slip through. With every new SQLi technique comes the need to update every one of those touch points and ensure they can properly defend against the new variation or technique.

But service enabling data sources changes the point of entry. It centralizes access down to a single point of contact.

Joe McKendrick notes in a recent blog on a related topic (data quality and SOA):

Ash [Informatica’s Ash Parikh], who has been warning the industry about the quality of data — or lack thereof — surging through SOA-based infrastructures for some time now, says SOA data services open up many new avenues for connecting SOA with enterprise data management. “It’s much more than just data access,” he points out. “It’s making sure the data that is delivered is of the greatest quality.” [emphasis added]

If we expand “quality” to include “clean, untainted, and free of malicious content” then we’re pretty much on the same page.

SECURITY AND TRADITIONAL DATA ACCESS MODELS

Using traditional methods of database access (JDBC/ODBC/ADO.NET/PHP ADAPTERS) every time a developer wants to access the database they must:

1. Obtain a connection to the database

2. Construct the appropriate query

3. Execute the query

One assumes, of course, that prior to constructing the query that any user-supplied input is validated and any potentially malicious content either stripped or outright rejected.

Most web applications today are data-driven, meaning they require a database in which to store and retrieve content. These applications – and that includes blogs, content management systems, news sites, and social networking sites – may contain multiple queries on every page, meaning there are multiple points at which malicious content may be introduced into the system. Add-on the possibility of an API through which content may be added and you’ve increased again the number of potential “holes” through which an SQLi attack might be executed.

Service-enablement, on the other hand, effectively reduces the number of potential entry points through which an attack may occur. It reduces the attack surface.

In a service-enabled database access scenario, the applications still make the same number of “connections” because each query is designed to perform a specific task , but instead of those queries going directly to the database they are actually made to a service interface instead. It is the service interface that then handles database connections, constructs the query, and executes the query on behalf of the client application.

There are two possible security outcomes to this scenario.

1. Overall security is improved. Because there are fewer interfaces to secure the process of validating and further detecting potentially malicious code will be more thorough. Reducing the number of places in which these checks must occur also reduces the potential to “miss” a touch point when implementing security processes. Protection against SQLi is shared by all applications, so if security at the interface is properly implemented it will be beneficial to all applications using the service.

2. Overall security is degraded. Because the data access service interfaces are shared across all applications, any vulnerabilities are shared by all services utilizing the interfaces. It is also possible that the use of service-enabled interfaces may introduce additional avenues of attack. Service-enablement via SOAP/HTTP brings with it all the security vulnerabilities associated with XML and SOAP. Service interfaces are also publicly accessible, so authentication and authorization are paramount to successfully securing such implementations. Weak or easily breakable authentication schemes can lead to compromise. If the services are publicly accessible this could be an even higher concern.

ENSURING THE BEST POSSIBLE OUTCOME

It certainly appears at first glance that perhaps the possibility of a negative outcome – because of the impact to multiple applications –outweighs the potential benefits of improving security. But the change in architecture affords the opportunity to provide additional security around the service (as well as scaling benefits that are not typically associated with databases) than can tip the scales of benefits versus risk to the side of improving security.

A reduction in the number of entry points at which SQL queries are constructed from user input increase the resources that can be applied to the security of those interfaces. Fewer entry points affords a tighter focus on applying secure coding practices against the OWASP Top Ten. Testing against vulnerabilities, too, becomes easier and potentially more thorough.
Adding a data service layer, usually enabled by HTTP, enables the leverage of existing technology to secure the messages and protocols between the application server and the data services. A web application firewall can provide additional security scans on the services in real time as well as provides protection against (un)intentional denial of service attacks against the service. XML-related capabilities in WAF solutions can also address the potential introduction of XML specific vulnerabilities to the architecture, as well as offering support for authentication and authorization and encryption/signing of requests.
Moving data services to its own tier separates the tiers more completely and provides better agility for development. If a new vulnerability is discovered, for example, it need only be addressed in a limited, well-known set of services rather than across all applications that may be vulnerable. This can reduce the time to fix vulnerabilities or add new functionality to the data tier.

Service-enabling data sources is an architectural change that should not be executed upon lightly. It affects all other applications that rely on the data source, and introduces another layer into the architecture that may or may not make it more complex. Moving to such an architecture can be beneficial and can drastically improve security and decrease the likelihood of a successful SQLi attack. But if not entered into with the proper motivation to ensure the services are secured, tested, and protected against other security vulnerabilities it is possible that such an architecture could degrade your overall security posture and make it more likely that an attack will succeed.

Careful consideration regarding the dedication of resources and testing of data services is required before embarking on such an initiative. Collaboration between architecture, network, and development teams is required to design the service and its supporting application infrastructure in such a way as to ensure the change is a net positive for the entire organization.

Related blogs & articles:

Technorati Tags: MacVittie,F5,application security,security,SOA,services,tiers,architecture,web application security,OWASP,database security,web

Five Days with a Droid

Fri, 13 Nov 2009 14:15:00 EST

I got my Droid about five days ago, and immediately took it on the road with me, which meant I didn't have the quality time I wanted to settle into a nook and read Persian love poetry to it. But, I did get a sense of how it looks to ...

Oracle Fusion Middleware Deployment Guides

Fri, 13 Nov 2009 10:30:00 EST

Well hello again!

After a week off with H1N1 (don’t get it, you really won’t like it), and another week or two catching up, I’m finally back in the saddle and there’s plenty to talk about – some of it stuff I should have been talking about weeks ago.

Today we’ll discuss the Deployment Guides some smart folks here at F5 have thrown together to go with the Oracle Fusion Middleware Enterprise Deployment guides (that some smart folks at Oracle threw together).

First up, props to Oracle for an astounding document library that you can access sans login. It’s not new, but if you’re not familiar with it, check it out.

What our staff did is take the documents from their library that reference places where BIG-IPs fit in, and created complimentary documents to show how to configure your BIG-IP to fit the Oracle Fusion Ecosystem.

So here is the list of Oracle documents, and F5 complimentary documents. Between them, you can make your Oracle Fusion environment adaptable, reliable, and zippy. At least I claim you can :-).

Oracle Enterprise Deployment Guide	F5 Deployment Guide
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E12839_01/core.1111/e12035/toc.htm (see Section 2.2.1)	Deploying F5 with Oracle Fusion Middleware Identify Management 11gR1 http://www.f5.com/pdf/deployment-guides/oracle-identity-management-big-ip-dg.pdf
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle SOA Suite 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E12839_01/core.1111/e12036/toc.htm (see Section 2.2.2)	Deploying F5 with the Oracle Fusion Middleware SOA Suite 11gR1 http://www.f5.com/pdf/deployment-guides/oracle-soa-big-ip-dg.pdf
Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle WebCenter 11g Release 1 (11.1.1) http://download.oracle.com/docs/cd/E12839_01/core.1111/e12037/toc.htm (see Section 2.2.2)	Deploying F5 with Oracle Fusion Middleware WebCenter 11gR1 http://www.f5.com/pdf/deployment-guides/oracle-webcenter-big-ip-dg.pdf

I’d love to take credit for this chart or any of its contents, but this time I’m just the messenger, other people created all of the content, and the chart is essentially a recreation of one I received via email. If you’re using Fusion Middleware and have F5 gear in-house, they’re worth checking out to see how you can benefit from them.

And that gets me back into the blogging groove… Expect to hear more from me in the near future.

Don.

Is ESB Mandatory for SOBA?

Wed, 11 Nov 2009 16:15:00 EST

Deploy ESB if you really need integration solution for your Service Oriented Business Application.

TheLadders.com Recruits 3PAR and Saves on Storage

Wed, 11 Nov 2009 11:00:00 EST

3PAR, the leading global provider of utility storage, announced that TheLadders.com cut their total cost of storage in half by replacing their legacy storage infrastructure with 3PAR Utility Storage. The online job search website deployed 3PAR Utility Storage in conjunction with server virtualization from VMware as part of a datacenter virtualization initiative. This initiative reduced the company’s storage capacity requirements by 66%, which also reduced storage administration time. In addition, by consolidating onto a single, highly virtualized 3PAR InServ Storage Server, TheLadders.com was able to eliminate the use of separate arrays for different applications and reliance on costly consulting services.

Why Defining ‘Cloud Computing’ Is Important

Wed, 11 Nov 2009 09:00:00 EST

It seems like every major vendor out there from hardware to software has a different definition of what cloud computing is. I’ve dabbled a little with the definition on here before, but it still seems like there is a general lack of consensus when it comes to definition. With that said, does the definition matter much? Isn’t the business value of the cloud more important than the strict definition? Of course the value is more important, but the definition can have implications with respect to understanding and quantifying that value for your business.

Digging Deeper in Microfinance with Kiva.org

Tue, 10 Nov 2009 13:00:00 EST

I have been a long time donor to Kiva.org, a peer microfinance lending site that has been around for several years. When I first heard about it I thought it was an interesting idea and donated some money to fund a few different third-world start up businesses. Kiva works by hooking up generous folks with microfinance lenders by promoting the individual beneficiaries on their Web site. You get the feeling that your donation is going straight into the pockets of these worthy folks. And you can watch your donation be repaid in painfully small increments as the business owner (usually women) succeeds.

Reality Check at the Cloud Computing Expo

Mon, 09 Nov 2009 20:30:00 EST

The talk at the Cloud Computing Expo this week in Santa Clara was all about enterprise cloud adoption. Is it real? Is it already happening? If so, who’s doing it, which applications are they running and which clouds are being tested? To a large extent, cloud computing is a victim of its own somewhat out-of-control hype cycle. Since so much has been written and discussed about the cloud in 2009, there is now a growing impatience for actual results. The fact that 2000 people showed up at the Cloud Expo in Santa Clara this week (double the number from last year’s show) suggests that at the very least, interest in enterprise cloud computing remains very real, and the need for practical solutions and use cases is growing more urgent.

Open Source Content Management Software Company New CEO

Thu, 05 Nov 2009 18:15:00 EST

eZ Systems, the world´s largest open source content management software company, announced today that former IBM and BEA executive Christoph Rau will join the company as CEO, effective immediately.

Data Loss in MAC OS X

Thu, 05 Nov 2009 16:15:00 EST

Mac OS X is a multi-tasking operating system that allows you to execute one or more processes at the same time. In some situations, you need to restart your Mac computer to clear several system processes to free system resources. This is the best solution to prevent system freezing. But sometimes when you restart your Mac computer, you encounter gray screen of Mac with a gray spinner.