From the Blogosphere

Hadoop and Business Intelligence

Thu, 16 Feb 2012 08:49:00 EST

Like my colleague Alex Olesker, I too attended Cloudera Day 2012. While there were many panels of interest, perhaps one of the most important was Amr Awadallah‘s talk about big data applications to business intelligence. Many CTOVision readers with backgrounds in the intelligence community may think of corporate espionage when the phrase “business intelligence” is uttered, but I assure you that this is definitely not the case. Business intelligence is different from competitive intelligence, which is primarily based on open-source analysis of competitors and markets. Rather, business intelligence is quantitative analysis of internal data using advanced analytics techniques.

Advanced Persistent Threat: Useful or Buzzword?

Wed, 15 Feb 2012 16:00:00 EST

The term Advanced Persistent Threat (APT) is often regarded somewhat suspiciously by security professionals, seeing as it how it can be a buzzword that obscures actual analysis of the dynamics of cyber attacks or a diplomatic fiction because it’s not polite to openly accuse the Chinese and Russians of stealing from us. But recently, I’ve seen some analysis that points to some use for the concept. Is the term overused? Yes, Schwartz points out. But there is a qualitative difference emerging between attackers who are taking a path of least resistance and those using sophisticated attack techniques to enter the systems of targeted organizations. Moreover, while non-APTs use cruder methods to probe for weak points, APTs use social engineering and use either direct intelligence techniques (or civilian analogues) to directly target vulnerable employees and organizational knowledge gaps. As much as APTs are a marketing term, they are indeed more advanced than the average spammer (although perhaps the spammer is just as persistent) and certainly pose a threat.

New iOS Edge Client

Wed, 15 Feb 2012 15:28:00 EST

If you are running the BIG-IP Edge Client on your iPhone, iPod or iPad, you may have gotten an AppStore alert for an update. If not, I just wanted to let you know that version 1.0.3 of the iOS Edge Client is available at the AppStore. The main updates in v1.0.3: URI scheme enhancement allows passing configuration data to the client upon access. For example, you could have a link on the WebTop that invokes the client and forces web logon mode. Other Bug fixes.

Truth in (Round) Numbers?

Wed, 15 Feb 2012 10:30:00 EST

Statistics matter, not only in business, but increasingly also in our social life - well, at least in our social media life. Some of the statistics I noticed this week were round numbers, like 1000. With 1000 representing both the number now showing under "followers" in Twitter and the revenue number for research (that's excluding events, consulting and other items) we grew to in 2011. And on my blog I saw - a bit to my surprise - it has been a full 10 weeks since my last post! That's however more a case of blogger's block than writer's block, as I did (co-)author the round number of 10 research notes since joining this summer. To catch up, I am including below a short overview of the topics these research notes covered (Gartner clients only) and that I likely will explore further in the future - both in research and using (social) media. So what topics did these 10 research notes address? First to mention are the Predicts 2012. I participated in two this year, one called Predicts 2012: Cloud Computing Is Becoming a Reality in which we revisited an earlier prediction on cloud lock-in and explored the idea of a Maslov type hierarchy of needs for cloud computing customers. In this needs hierarchy fear of lock-in will be gaining ground as more basic needs like security are better understood.

Oops! HTML5 Does It Again

Wed, 15 Feb 2012 07:28:00 EST

#HTML5 #infosec A multitude of security-related solutions rely upon the ability to extract and examine mime-objects from web-content. HTML5 may significantly impair their ability to do so.

The trade off between security and performance has long been a known issue across IT organizations. One of the first things to go when performance is unacceptable is a security solution. This isn’t just an IT phenomenon either; consider how many of us have disabled endpoint security solutions like anti-virus scanners to improve performance?

Our refusal to be slowed down by what may seem to some as extraneous security is what eventually led IT security professionals to revise their strategies and enforce such scans on inbound content in the network. Network-attached security scanning solutions have long been a staple of inbound e-mail and has found increasing use as a means to scan inbound web-content, as well, as an attempt to eliminate potential malware from having access to the corporate network.

IT Organizations That Trade Security for Performance Deserve Neither

A new [at the time of publication, July 2011] survey of 487 IT professionals that was conducted by Crossbeam, a provider of high-performance security gateways, finds that while 91 percent of the respondents were not only making tradeoffs between security and performance, a full 81 percent were actually disabling security features.

HTML and soon, if we believe the predictions HTML5, is the lingua franca of Internet communication. Oh, applications may speak JSON under the covers, but in the end it’s just data to be displayed to the user which means HTML(5).

What does that mean for anti-virus and malware web scanners? Well, if one of the features of HTML5 being leveraged is WebSockets, a lot. Otherwise, not much. At least not yet.

You see, WebSockets accidentally trades performance for security.

OOPS

One of the things WebSockets does to dramatically improve performance is eliminate all those pesky HTTP headers. You know, things like CONTENT-TYPE. You know, the header that tells the endpoint what kind of content is being transferred, such as text/html and video/avi. One of the things anti-virus and malware scanning solutions are very good at is detecting anomalies in specific types of content. The problem is that without a MIME type, the ability to correctly identify a given object gets a bit iffy. Bits and bytes are bytes and bytes, and while you could certainly infer the type based on format “tells” within the actual data, how would you really know? Sure, the HTTP headers could by lying, but generally speaking the application serving the object doesn’t lie about the type of data and it is a rare vulnerability that attempts to manipulate that value. After all, you want a malicious payload delivered via a specific medium, because that’s the cornerstone upon which many exploits are based – execution of a specific operation against a specific manipulated payload. That means you really need the endpoint to believe the content is of the type it thinks it is.

But couldn’t you just use the URL? Nope – there is no URL associated with objects via a WebSocket. There is also no standard application information that next-generation firewalls can use to differentiate the content; developers are free to innovate and create their own formats and micro-formats, and undoubtedly will. And trying to prevent its use is nigh-unto impossible because of the way in which the upgrade handshake is performed – it’s all over HTTP, and stays HTTP. One minute the session is talking understandable HTTP, the next they’re whispering in Lakota, a traditionally oral-only language which neatly illustrates the overarching point of this post thus far: there’s no way to confidently know what is being passed over a WebSocket unless you “speak” the language used, which you may or may not have access to.

The result of all this confusion is that security software designed to scan for specific signatures or anomalies within specific types of content can’t. They can’t extract the object flowing through a WebSocket because there’s no indication of where it begins or ends, or even what it is. The loss of HTTP headers that indicate not only type but length is problematic for any software – or hardware for that matter – that uses the information contained within to extract and process the data.

WEDGE NETWORKS

Wedge Networks, whose name you may never before heard even though you might have had content scrubbed by their devices and not known it, has a solution to the problem of disaggregating web objects without requiring specific identification by HTTP headers, thus solving this problem and several other similar ones where protocols lack the means to definitively identify specific content by type.

WedgeOS - Network Data Processor Architecture

The WedgeOS Network Data Processor ("NDP") is the proprietary architecture that allows content inspection at Gigabit speeds without impacting network performance. The WedgeOS NDP architecture revolutionized Web Security Appliances with the introduction of BeSecure. BeSecure is capable of intercepting and actively scanning all internet traffic for malicious content as it enters the network.

What they meant to say was “we do deep content inspection on streaming traffic and are able to accurately identify – and subsequently extract – MIME objects at line rate and then scan them for bad stuff you don’t want on your network.” Content comes into their device (and it’s off-the shelf hardware, I’m told), MIME objects are disaggregated regardless of transport or application protocol, shoved down a high-speed internal bus into which are plugged a variety of security scanning functions, and then shoved back out the other side, assuming all was well. Policies enable the ability to determine exactly what happens if there are anomalies or malicious code discovered.

Wedge Networks has partnered with a number of well-known and industry leading security scanning solutions and brought them together into a single device. Applying the old “crack the packet only once” doctrine, the device is able to perform its scans as fast as objects can traverse its internal bus.

The devices deploys in either proxy or transparent mode, with the latter being most popular simply due to the mitigation of disruption that can come with inserting a proxy-based solution into an established network.

Let’s assume for a moment that a Wedge Networks device really does accomplish all this – at line rate. I can’t know, I don’t evaluate products in lab environments any more, so I can take their word for it. But let’s assume it does. That opens a wide variety of possibilities – both inbound and outbound – for protecting web applications and customers alike, and not just for HTML5.

Assuming no degradation of overall performance, the ability to detect and prevent delivery of malware that may have been surgically inserted into your database or CMS via XSS or SQLi would be a boon, if only to let you know it happened much sooner and provide the time necessary to redress the infection. Nearly every rational organization scans inbound e-mail for potential risks, but very few (if any) scan outbound. We all know why – the belief that performance is more important than security, especially when consumer dollars are on the line. If Wedge Networks can do as it promises and not impede performance while still providing a valuable security service, well, that might be something to think about.

Connect with Lori:	Connect with F5:

Related blogs & articles:

Technorati Tags: F5,MacVittie,Wedge Networks,network,security,HTML5,WebSockets,malware,anti-virus,performance,application security,blog

The Path to the Intelligent Cloud

Wed, 15 Feb 2012 07:00:00 EST

Let's face it right now the cloud is pretty immature. The level of automation and management of these environments are analogous to the early assembly lines, but it won't be this way long. This is not the industrial revolution and it moves at a wicked fast pace. Before we know it the next generation of cloud computing will be upon us and it will be very different than the IaaS/PaaS/SaaS offerings we know today. For one, it will be intelligent. That is, the cloud will be content aware and it's network connections will act like mycelia hyphae and what one hyphae learns will become available to the entire cloud. Whereas the current cloud is focused on scalability and elasticity, the next instance of the cloud will focus on redundancy, resiliency and collaboration. The discussion regarding public, private or hybrid will become moot as the cloud simply becomes a system of nodes with some nodes participating fully while some don't participate at all. Nodes will contribute to the cloud on a controlled basis. Some will host their own nodes while others will pay service providers to host their nodes for them.

What Does Mobile Mean, Anyway?

Tue, 14 Feb 2012 10:30:00 EST

There are – according to about a bazillion studies - 4 billion mobile devices in use around the globe. It is interesting to note that nearly everyone who notes this statistic and then attempts to break it down into useful data (usually for marketing) that they almost always do so based on OS or device type – but never, ever, ever based on connectivity. Consider the breakdown offered by W3C for October 2011. Device type is the chosen taxonomy, with operating system being the alternative view. Unfortunately, aside from providing useful trending on device type for application developers and organizations, this data does not provide the full range of information necessary to actually make these devices, well, useful.

Measuring Cloud Storage Performance: Blocks vs. Files

Tue, 14 Feb 2012 10:00:00 EST

What are some good reasons to adopt cloud storage? Cost, durability and flexibility. So let me talk about performance, instead. As part of our daily testing, we do routine performance measurements across a broad swath of cloud storage providers. It gives us a check to ensure that the various CloudArray subsystems are performing as they should, and gives us the data to make optimization decisions. In this particular test, we measure transfer rates at various buffer sizes. We “fill the pipe” by queueing up multiple streams of data simultaneously, initiating one transfer as soon as the previous one finishes, so that latency doesn’t skew the data.

Book Review: Succeeding with Agile

Tue, 14 Feb 2012 09:20:00 EST

I have been implementing and improving development processes for a while now. Either directly when I am brought in as a Software Process Engineer, or indirectly when I am brought in as a Software Architect. I have not been involved with process improvement on all my engagements. The ones I was not involved with already had a decent development process in place, or they already had an initiative underway. I have never personally lead a process improvement initiative to Scrum. I always implement a configurable process repository that allows for everything from OpenUP, to UP, to RUP. I have never had the request for Scrum nor have I tried to sell it as an option. The main reason for that is until recently I have found it to be incomplete when it came to enterprise scale. The Scaled Agile Framework has taken the initiative and filled in the gaps. The book Agile Software Requirements: Lean Requirements Practices for Teams, Programs, and the Enterprise does a great job of covering the Scaled Agile Framework. I have seen Scrum attempted multiple times. Depending on the perspective they all failed and they all succeeded. Watching from the sidelines, our consult team's view was they failed miserably, but according to the internal managers that made the choice to go with Scrum they were a huge success. Depending on who was asking the development team, us or the managers, they had completely different answers.

OAuth Token Management

Mon, 13 Feb 2012 14:00:00 EST

Tokens are at the center of API access control in the Enterprise. Token management, the process through which the lifecycle of these tokens is governed emerges as an important aspect of Enterprise API Management. While some of this information is created during OAuth handshakes, some of it continues to evolve throughout the lifespan of the token. Token management is used during handshakes to capture all relevant information pertaining to granting access to an API and makes this information available to other relevant API management components at runtime.

Trends in Social Media – 2012

Mon, 13 Feb 2012 12:45:00 EST

Struggle and Contradiction in four different dimensions – that is how I can summarize the trend in social media. Till Facebook came in, web was mostly open. Two of the key drivers behind the success of the Web are (1) the ease with which pages can be hyperlinked irrespective of where it is hosted and which site it belongs to and (2) the ease with which you can search a specific page which has been indexed by search engine mainly Google. However, most social media especially Facebook do not allow Google to search and index their pages. Even if you have access to specific pages in Facebook, you will not be able to search and find those pages using Google. You will necessarily have to login to Facebook and do the search. This is not true for sites like Wikipedia. But, is that not a fight between Facebook and Google? Anyway, this is true for most sites which require a login. So, what is the big problem? You may not want to classify this as a problem but you need to acknowledge that this is a big change because people are spending more and more time inside their favorite Social Media which is likely to be Facebook. What you do inside Facebook and what you do outside becomes almost two different worlds with very little linkage.

Passwords Suck: Learn About and Use Multi-Factor Authentication

Mon, 13 Feb 2012 08:09:00 EST

Passwords suck. They are long, hard to remember (even if you have easier-to-remember phrases), more so when new, and are largely a difficulty for users to user properly. Combined with the fact that many users choose easy-to-guess or easy-to-ascertain passwords based off of commonly-known facts about themselves and that they will try all of their passwords when told one isn’t working…the list goes on. Passwords are essential to our daily lives because they provide a facet of authentication security — the ability to confirm that you are who you say you are, because you know something someone else does not. In security circles, this type of password authentication is known as “something you know.” In authentication security experts have long pointed out that just having “something you know” is not good enough.

Getting Ready for Big Data

Mon, 13 Feb 2012 08:00:00 EST

IT departments and data centers are used to seeing demand for resources surge. In recent years, this has been especially evident in the area of data storage. No matter what you want to call it – “data explosion,” or something else – you can’t deny the fact that organizations simply have a greater need for capacity today than ever before. Add in emerging technologies such as real-time predictive intelligent solutions, and you can begin to see how the demand for data is going to continue to explode. Fortunately, technology is moving to keep pace. There is a technology coming down the pipe known as “big data,” and it’s going to change the way that IT and data centers handle all of that excess demand.

Thoughts on the "Apps Economy," "Open Data" and the Value of APIs

Sat, 11 Feb 2012 18:22:00 EST

To quote my friend Stevie Chambers (@stevie_chambers), "I feel like a new room has opened in my memory palace." That was exactly how I felt after finishing my recent The Cloudcast (.net) podcast with Sam Ramji (@sramji) and Christian Reilly (@reillyusa), where we discussed the role of APIs in the economy of mobile devices and "open data". I had heard that Sam was brilliant, but hearing someone articulate both the business and technology value of APIs the way Sam did was a lot like listening to Chris Collinsworth explain line-play during an NFL football broadcast. You think you have some idea how things work and then they show you the "behind the QB angle" and you realize that a new door of complexity has been opened up to you. All I can say is wow!! There is an incredible underground economic environment living behind the mobile devices and apps that have become such a critical aspect of everyone's life.

Cloud Computing and Platform-Based Vulnerabilities

Sat, 11 Feb 2012 05:00:00 EST

What do these two vulnerabilities have in common? Apache Killer. Post of Doom. Right, they’re platform-based vulnerabilities. Meaning they are vulnerabilities peculiar to the web or application server platform upon which applications are deployed. Mitigations for such vulnerabilities generally point to changes in configuration of the platform – limit post size, header value sizes, turn off some value in the associated configuration. But they also have something else in common – risk. And not just risk in general, but risk to cloud providers whose primary value is in offering not just a virtual server but an entire, pre-integrated and pre-configured application deployment stack. Think LAMP, as an example, and providers like Microsoft (Azure) and VMware (CloudFoundry), more commonly adopting the moniker of PaaS. It’s an operational dream to have a virtual server pre-configured and ready to go with the exact application deployment stack needed and offers a great deal of value in terms of efficiency and overall operational investment, but it is – or should be – a security professional’s nightmare. It’s not unlike the recent recall of Chevy Volts – a defect in the platform needs to be mitigated. The only way to do it, for car owners, is to effectively shut down their ability to drive while a patch is applied. It’s disruptive, it’s expensive (you still have to get to work, after all), and it’s frustrating for the consumer. For the provider, it’s bad PR and negatively impacts the brand. Neither of which is appealing.

Who's Managing Your PaaS Apps?

Fri, 10 Feb 2012 09:00:00 EST

PaaS v2.0 should be more open than the current implementations, and cultivate tools communities. But the focus on open development stacks is ignoring the second aspect of PaaS - the management of live applications after they are built. PaaS providers need to allow for communication of SLA and business process requirements by consumers, and cloud management tools can help. We are also seeing the realization of the application-centric approach to cloud management. That takes me to the part that no one is really talking about when it comes to PaaS - the management aspect. Up to this point, we have more often talked about the development side (pre-production). But, PaaS then hosts the application created. How will organizations dictate the SLAs to be in place when the application is live for others to consume (i.e. scale-up, scale-down, etc.)? How will they relay their DR requirements, or moreover how will PaaS providers allow for different RTO/RPO strategies?

Cross-Platform Mobile Visual Development – a Tool Comparison

Thu, 09 Feb 2012 09:30:00 EST

Mobile development tools are changing rapidly. I had started work on comparing cross-platform mobile tools about a month back. I had initially started with a list of 26 tools. A few got added on the way. However, what is most interesting is that in this short period of time one of the tools (Open Plug) was discontinued. It was a Flash based tool. Since Adobe decided to discontinue Flash for mobile in favor of HTML5 – they really had no choice. Another tool (Pyxis Mobile) has been renamed as (Verivo Software).

API Management – Infrastructure vs SaaS

Wed, 08 Feb 2012 13:15:00 EST

The Enterprise is buzzing with API initiatives these days. APIs not only serve mobile applications, they are increasingly redefining how the enterprise does B2B and integration in general. API management as a category follows different models. On one hand, certain technology vendors offer specialized infrastructure to handle the many aspects of API management. On the other, an increasing number of SaaS vendors offer a service which you subscribe to, providing a pre-installed, hosted, basic API management system. Hybrid models are emerging, but that’s a topic for a future post. Before opting for a pure SaaS-based API management solution offering, consider these below.

Three Buzzwords That Every CIO Hears but One They Should Listen To

Wed, 08 Feb 2012 05:00:00 EST

Anyone that's managing an enterprise IT with aging or outdated client/server systems is starting to feel the heat. Soon, their systems and applications will be obsolete and unsupported. At the same time, the industry as whole is seeking the fastest gateway to the latest .NET, HTML5 and mobile deployments including SaaS models. Right about now, there will be a knock on your door with team members offering their advice as to what you should do to ‘keep up' with the latest trends and supported architectures. Here are three of the buzzwords they will have probably used, and what they actually mean.

Getting the Best Out of Amazon EC2 Micro Instances

Tue, 07 Feb 2012 22:25:00 EST

One of the popular instance types supported by Amazon EC2 is the Micro Instance. In November 2010, Amazon announced the free tier and started offering 750 hours of Micro Instance usage free per month for the first one year. Initially this offer was available only to Amazon Linux instances but last month AWS announced that they are extending this to Microsoft Windows Server instances. Looking at the technical specifications, the Micro Instance type doesn’t have the muscle required for heavy lifting. It comes with burst CPU capacity that can go up to 2 Elastic Compute Units (ECU). That means the CPU performance is not predictable. The main memory offered is 613MB! This is just not sufficient for running any serious workloads. Of course, storage can be added through EBS and the free tier covers up to 30GB of storage.

Software Defined Networks (SDNs) - A History Lesson

Tue, 07 Feb 2012 10:15:00 EST

I'm a big fan of history, especially technology history, because it gives us such wonderful guidance about what to expect with each new "technology disruption". Just like the history of mankind, technology tends to follow repeatable trends, actions and mistakes. The latest trend that I've been carefully watching is around Software Defined Networks (SDNs). Today's SDN discussions are primarily focused on how new paradigms will change the architecture of IP networks and how network-level services are delivered and managed. This shift is being led by companies like Big Switch, Nicira, Embrane

Desktop VDI May Be Ready for Prime Time but Is the Network?

Tue, 07 Feb 2012 08:45:00 EST

Considering the innate differences between just the two most popular mobile operating systems – Android and iOS – gives rise to understanding how costly and complex an infrastructure might need to be to support both. It’s not at all unlike the issues with server virtualization. Management and delivery architectures require different solutions depending on the platform, so despite potentially costly investments to scale, organizations are often staying single-vendor with respect to its virtualization platform strategy.

How Fast Does Technology Change?

Tue, 07 Feb 2012 07:30:00 EST

How fast does technology change? What is its impact? It is something like the hour hand of a clock. If you keep staring at it you would feel that it always remains stationary. If you go away and come back after sometime, you will see that it has moved a lot. The same thing is true with technology. “We tend to overestimate the effect of a technology in the short run and underestimate the effect in the long run.” – Roy Amara was a researcher, scientist and past president of the Institute for the Future.

Cross-Platform Mobile Code Generator – a Tool Comparison

Tue, 07 Feb 2012 05:19:00 EST

This is the fourth post for cross-platform mobile development tool comparison. There are two more to come. For convenience of analysis, I had divided the tools into five categories (here is an overview). Mobile Web (JavaScript-CSS library), (here is the detail review) Visual Tool (No access to Code), (here is the detail review) App Generator (Native application for multiple platforms), Hybrid App (Leverages embedded browser control) and Game Builder. The classification is somewhat arbitrary and for some tools it becomes little difficult to classify but here is my logic.

How Quickly Will Software Vendors Move to the Cloud?

Tue, 07 Feb 2012 05:15:00 EST

There’s an excellent discussion going on over on the Cloud Computing Google Group about the pace of migration of traditional software to a SaaS model. Here I recently went into some of the very real reasons why the migration is slower than some would like, but didn’t really talk about the pace of adoption. There are some numbers that make for some interesting analysis. According to PwC, in 2009, the top 100 software vendors (traditional non-SaaS) generated 3.7% of their revenues from SaaS in the US; and 1.1% of their revenues from SaaS in Europe. In the same report, the US has a 44% market share and Europe has 36% market share by revenue (License, Maintenance and Support). According to Gartner, in 2010, the WW installed enterprise software market grossed about $104 Billion. So, roughly, we could say that installed software vendors (US & EU only) brought in nearly $5 Billion in revenues in 2010. So nearly 5% of revenues since the inception of SaaS (not including ASP)?

A 2012 New Year’s Resolution for Developers

Mon, 06 Feb 2012 14:16:02 EST

People often believe that if a developer is capable of creating clean, functional code that they will by default be writing secure code. Unfortunately, this is not always the case. Security vulnerabilities can result from poor code, functional bugs can be security bugs too, but the trickiest security issues result from code that does more than you expect.. The application may test all of its functional tests but in addition it may have additional unintended functionality that can result in a vulnerability. For instance, a web site with a SQL Injection vulnerability could work perfectly well for a normal user and then work a little too well for a malicious user! It's important to think of abuse cases, not just us

Advanced Load Balancing for Developers

Mon, 06 Feb 2012 09:45:00 EST

It has been a while since I wrote an installment of Load Balancing for Developers, and now I think it has been too long, but never fear, this is the grad-daddy of Load Balancing for Developers blogs, covering a useful bit of information about Application Delivery Controllers that you might want to take advantage of. For those who have joined us since my last installment, feel free to check out the entire list of blog entries (along with related blog entries) here, though I assure you that this installment, like most of the others, does not require you to have read those that went before.

ZapNGo! Is still a growing enterprise, now with several dozen complex applications and a high availability architecture that spans datacenters and the cloud. While the organization relies upon its web properties to generate revenue, those properties have been going along fine with your Application Delivery Controller (ADC) architecture.

Now though, you’re seeing a need to centralize administration of a whole lot of functions. What worked fine separately for one or two applications is no longer working so well now that you have several development teams and several dozen applications, and you need to find a way to bring the growing inter-relationships under control before maintenance and hidden dependencies swamp you in a cascading mess of disruption.

With maintenance taking a growing portion of your application development manhours, and a reasonably well positioned test environment configured with a virtual ADC to mimic your production environment, all you need now is a way to cut those maintenance manhours and reduce the amount of repetitive work required to create or update an application. Particularly update an application, because that is a constant problem, where creating is less frequent.

With many of the threats that your ZapNGo application will be known as ZapNGone eliminated, now it is efficiencies you are after. And believe it or not, these too are available in an ADC. Not all ADC’s are created equal, but this discussion will stay on topics that most ADCs can handle, and I’ll mention it when I stray from generic into specific – which I will do in one case because only one vendor supports one of the tools you can use, but all of the others should be supported by whatever ADC vendor you have, though as always, check with your vendor directly first, since I’m not an expert in the inner workings of every one.

There is a lot that many organizations do for themselves, and the array of possibilities is long – from implementing load balancing in source code to security checks in the application, the boundaries of what is expected of developers are shaped by an organization, its history, and its chosen future direction. At ZapNGo, the team has implemented a virtual test environment that as close as possible mirrors production, so that code can be implemented and tested in the way it will be used. They use an ADC for load balancing, so that they don’t have to rewrite the same code over and over, and they have a policy of utilizing a familiar subset of ADC functionality on all applications that face the public.

The company is successful and growing, but as always happens in companies in that situation, the pressures upon them are changing just by virtue of their growth. There are more new people who don’t yet have intimate knowledge of the code base, network topology, security policies, whatever their area of expertise is. There are more lines of code to maintain, while new projects are being brought up at a more rapid pace and with higher priorities (I’ve twice lived through the “Everything is high priority? Well this is highest priority!” syndrome while working in IT. Thankfully, most companies grow out of that fast when it’s pointed out that if everything is priority #1, nothing is). Timelines to complete projects – be they new development, bug fixes, or enhancements are stretching longer and longer as the percentage of gurus in the company is down and the complexity of the code and the architecture it runs on is up.

So what is a development manager to do to increase productivity? Teaming newer developers with people who’ve been around since the beginning is helping, but those seasoned developers are a smaller and smaller percentage of the workforce, while the volume of work has slowly removed them from some of the many products now under management. Adopting coding standards and standardized libraries helps increase experience portability between projects, but doesn’t do enough.

Enter offloading to the ADC. Some things just don’t have to be done in code, and if they don’t have to be, at this stage in the company’s growth, IT management at ZapNGo (that’s you!) decides they won’t be. There just isn’t time for non-essential development anymore.

Utilizing a policy management tool and/or an Application Firewall on the ADC can improve security without increasing the code base, for example. And that shaves hours off of maintenance projects, while standardizing on one or a few implementations that are simply selected on the ADC. Implementing Web Application Acceleration protocols on the ADC means that less in-code optimization has to occur. Performance is no longer purely the role of developers (but of course it is still a concern. No Web Application Acceleration tool can make a loop that runs for five minutes run faster), they can allow the Web Application Acceleration tool to shrink the amount of data being sent to the users’ browser for you. Utilizing a WAN Optimization ADC tool to improve the performance of bulk copies or backups to a remote datacenter or cloud storage… The list goes on and on.

The key is that the ADC enables a lot of opportunities for App Dev to be more responsive to the needs of the organization by moving repetitive tasks to the ADC and standardizing them. And a heaping bonus is that it also does that for operations with a different subset of functionality, meaning one toolset gives both App Dev and Operations a bit more time out of their day for servicing important organizational needs. Some would say this is all part of DevOps, some would say it is not. I leave those discussions to others, all I care is that it can make your apps more secure, fast, and available, while cutting down on workload.

And if your ADC supports an SSL VPN, your developers can work from home when necessary. Or more likely, if your code is your IP, a subset of your developers can. Making ZapNGo more responsive, easier to maintain, and more adaptable to the changes coming next week/month/year. That’s what ADCs do. And they’re pretty darned good at it.

That brings us to the one bit that I have to caveat with F5 only, and that is iApps. An iApp is a constructed configuration tool that asks a few questions and then deploys all the bits necessary to set up an ADC for a particular application. Why do I mention it here? Well if you have dozens of applications with similar characteristics, you can create an iApp Template and use it to rapidly bring new applications or new instances of applications online. And since it is abstracted, these iApp templates can be designed such that AppDev, or even the business owner, is able to operate them Meaning less time worrying about what network resources will be available, how they’re configured, and waiting for operations to have time to implement them (in an advanced ADC that is being utilized to its maximum in a complex application environment, this can be hundreds of networking objects to configure – all encapsulated into a form). Less time on the project timeline, more time for the next project. Or for the post deployment party. One of the two. That’s it for the F5 only bit.

And knowing that all of these items are standardized means less things to get mis-configured, more surety that it will all work right the first time. As with all of these articles, that offers you the most important benefit… A good night’s sleep.

Technorati Tags: Application Delivery Controllers,VPN,Security,Applicaiton Development,Acceleration,WAN Optimization,Encryption,F5 Networks,Load Balancing For Developers,Don MacVittie,blog

Connect with Don:	Connect with F5:

Has Cloud Finally "Crossed the Chasm" in IT?

Mon, 06 Feb 2012 06:15:00 EST

Every year, our friends at ESG post results of their annual Spending Intentions Survey, indicating where many businesses are likely to spend their IT dollars over the coming year. Recently Steve Duplessie posted an article on his blog entitled Cloud – The Cost Containment Strategy that concludes cloud has finally “crossed the chasm” in IT. According to preliminary data, cloud represents the largest % projected spending increase for 2012 IT initiatives– a very exciting turn. Truth is, cloud storage addresses long-standing IT priorities, with three of these priorities topping the list nearly every year.

When Was Your Last Enterprise Architecture Maturity Assessment?

Fri, 03 Feb 2012 16:00:00 EST

Every company should plan regular architecture capability maturity assessments using a model. These should provide a framework that represents the key components of a productive enterprise architecture process. A model provides an evolutionary way to improve the overall process that starts out in an ad hoc state, transforms into an immature process, and then finally becomes a well-defined, disciplined, managed and mature process. The goal is to enhance the overall odds for success of the enterprise architecture by identifying weak areas and providing a defined path towards improvement. As the architecture matures, it should increase the benefits it offers the organization. Architecture maturity assessments help to determine how companies can maximise competitive advantage, identify ways of cutting costs, improve quality of services and reduce time to market. These assessments are undertaken as part of the Enterprise Architecture management.

Cloud Needs Application Architects to Understand IaaS

Fri, 03 Feb 2012 11:30:00 EST

Application development has been moving in the direction of platform abstraction. That is, the need for developers to have detailed knowledge of the infrastructure that the application was being deployed on was becoming less important with increasing sophistication of the application platform for which they were developing. Cloud computing is now reversing this course of action, at least in the short term. Actually, the platform abstraction is a bit of a misnomer since the implementation resulted in operations struggling to tweak the infrastructure to meet performance requirements. Additionally, most applications typically had their own dedicated hardware allowing for specialization to meet the needs of the applications deployed on that hardware.

IT and Storage Economics 101, Supply and Demand

Fri, 03 Feb 2012 09:30:00 EST

In my 2012 (and 2013) industry trends and perspectives predictions I mentioned that some storage systems vendors who managed their costs could benefit from the current Hard Disk Drive (HDD) shortage. Most in the industry would say that is saying what they have said, however I have an alternate scenario. My scenario is that for vendors who already manage good (or great) margins on their HDD sales and who can manage their costs including inventories stand to make even more margin. There is a popular myth that there is no money or margin in HDD or for those who sell them which might be true for some. Without going into any details, lets just say it is a popular myth just like saying that there is no money in hardware or that all software and people services are pure profit. Ok, lets leave sleeping dogs lay where rest (at least for now).

BPM on Demand – Fantasy or Fast Track to Agility?

Thu, 02 Feb 2012 14:00:00 EST

The automation of processes is a key enabler of the Cloud phenomena – without process the Cloud remains a passive environment that undoubtedly saves you money and removes some of the operational headaches, but does little else. The Cloud without process cannot deliver on the promise of Business Technology or the Service-Oriented Enterprise. All of the thoughts and ideas around assembling applications quickly to support a business imperative simply will not happen without process technology. However we need to be very clear – process management in the cloud is not just about BPM Suites on demand. Indeed, the term BPM on Demand is beginning to take on a new meaning when used in conjunction with cloud computing.

Performance in the Cloud: Business Jitter Is Bad

Thu, 02 Feb 2012 10:30:00 EST

One of the benefits of web applications is that they are generally transported via TCP, which is a connection-oriented protocol designed to assure delivery. TCP has a variety of native mechanisms through which delivery issues can be addressed – from window sizes to selective acks to idle time specification to ramp up parameters. All these technical knobs and buttons serve as a way for operators and administrators to tweak the protocol, often at run time, to ensure the exchange of requests and responses upon which web applications rely. This is unlike UDP, which is more of a “fire and forget” protocol in which the server doesn’t really care if you receive the data or not.

Like Cars on a Highway

Thu, 02 Feb 2012 10:00:00 EST

Every once in a while, as the number of people following me grows (thank you, each and every one), I like to revisit something that is fundamental to the high-tech industry but is often overlooked or not given the attention it deserves. This is one of those times, and the many-faceted nature of any application infrastructure is the topic. While much has changed since I last touched on this topic, much has not, leaving us in an odd inflection point. When referring to movies that involve a lot of CGI, my oldest son called it “the valley of expectations”, that point where you know what you’d like to see and you’re so very close to it, but the current offerings fall flat. He specifically said that the Final Fantasy movie was just such a production. The movie came so close to realism that it was disappointing because you could still tell the characters were all animations. I thought it was insightful, but still enjoyed the movie.

The Cloud API Is Pseudo-Consolidation of Infrastructure

Thu, 02 Feb 2012 09:00:00 EST

In most cases, the use of the term “consolidation” implies the aggregation (and subsequently elimination) of like devices. Application delivery consolidation, for example, is used to describe a process of scaling up infrastructure that often occurs during upgrade cycles. Many little boxes are exchanged for a few larger ones as a means to simplify the architecture and reduce the overall costs (hard and soft) associated with delivering applications. Consolidation. But cloud has opened (or should have opened) our eyes to a type of consolidation in which like services are aggregated; a consolidation strategy in which we layer a thin veneer over a set of adjacent functionalities in order to provide a scalable and ultimately operationally consistent experience: an API. A cloud API consolidates infrastructure from an operational perspective. It is the bringing together of adjacent functionalities into a single “entity.” Through a single API, many infrastructure functions and services can be controlled – provisioning, monitoring, security, and load balancing (one part of application delivery) are all available through the same API. Certainly the organization of an API’s documentation segments services into similar containers of functionality, but if you’ve looked at a cloud API you’ll note that it’s all the same API; only the organization of the documentation makes it appear otherwise.

Trends in Cloud Computing Adoption – 2012

Thu, 02 Feb 2012 06:00:00 EST

What can we expect from cloud computing in 2012? Where will cloud computing be one year from now? If you look back at the important cloud computing events you will find that nothing of much significance had happened in 2010. The same can be said for the 2011 and I suspect that 2012 will not be any different. But, one thing has changed during the 2011. Neither cost saving nor flexibility is the primary driver for cloud adoption There is clear indication that mobility has become the prime reason for cloud adoption.

DevOps PaaS – Platform for Web Evolution

Thu, 02 Feb 2012 05:30:00 EST

The distinction between IaaS and PaaS, and why and how customers will use these services, is very effectively explained through the Elections Canada RFP from last year. I summarized their plans and requirements in a white paper, called ‘Web Business Evolution‘ because this was the term they themselves used to quantify the nature of the transformation they wanted to achieve, and I thought it was exactly right too. The real needs of customers, to a very detailed level of specification, is documented in these RFPs and so they’re extremely illuminating to identify the market demand patterns.

Remote Data Center Management

Tue, 31 Jan 2012 16:15:00 EST

It’s just been an accepted fact of the life of an IT professional (and of a data center manager in particular) that sometimes you have to go into the data center to fix things. A single phone call at 3 a.m. means you’re tooling down the road half-awake, hoping to find an open coffee shop on the way to the data center so you can approach the problem with at least some semblance of logic and attention. Remote tools have been somewhat lackluster, and only able to handle certain types of problems. While you can probably connect remotely to restart a given virtual machine or a server, there are countless data center components you can’t access from home.

The Strategic Potential of Collaboration Software

Tue, 31 Jan 2012 05:00:00 EST

Those who follow the HyperOffice blog know that in our last series of posts, we have been focusing on the business problem of collaboration, beyond a narrow technology focus. “Collaboration” in its broad sense, is what every organization is ultimately involved in – people working together to achieve organizational goals. In our last post, the “three pillars of collaboration” we had emphasized that to be truly collaborative, organizations need to get three ducks in a row – policies/processes, technology and culture – rather than depending solely on technology. But that is not to say that technology is completely subordinate to the other two “pillars of collaboration”. Quite often, technology creates previously unthinkable possibilities. To illustrate, before collaborative mobile and internet technologies – there was simply no way to keep field workers on the company’s information grid. But now employees can be kept on the grid wherever they are, which creates fantastic new opportunities in terms of how organizations can operate and structure themselves. This is an example of technology profoundly impacting the organizational bottom line.

Blitzkrieg and VDI Edge Protection

Mon, 30 Jan 2012 13:00:00 EST

By now, everyone even vaguely familiar with information security knows the military maxim of blitzkrieg – burst through the hardened defense at a single point and then rush pell-mell to the rear where the soft underbelly of any static army lies. It is a good military strategy, provided you have the resources to break through the defenses and follow up with a rapid advance into the rear areas. While there are variants of this plan, and a lot of discussion about how/when it is strategically worth the risk, historically speaking it has been a smashing success. Germany did it to France and the Low Countries in 1940, to Russia in 1941, Russia returned the favor in 1943, and the western allies joined used it successfully at Normandy in late 1944. Sherman’s March to the Sea in the American Civil War was just such a ploy (though Sherman was more willing to hit civilian targets than a 20th century general would have been, it was still a rush to the soft rear), and the first Gulf War had the coalition forces doing much the same. These are just the large-scale instances of this theory in operation, but you have to admit it works. The risk is high though, as the Germans found out at Prokhorovka, and that alone makes generals cautious that they have the resources and intelligence reports to burst through in the first place.