Click here to close now.

Welcome!

Microservices Expo Authors: Pat Romanski, Jason Bloomberg, Carmen Gonzalez, Plutora Blog, Liz McMillan

Related Topics: @CloudExpo, Microservices Expo, IBM Cloud

@CloudExpo: Article

Cloud Governance: Something Old, Something New, Something Borrowed…

How do you apply SOA Governance best practices to Cloud Governance?

As we predicted earlier in the year, Cloud computing is starting to take hold, especially if you believe the marketing literature of vendors and consulting firms. Yet, we are seeing an increasing number of Cloud success stories, ranging from simplistic consumption of utility Services and offloading of compute resources to the sort of application and process clouds we discussed in a previous ZapFlash. Perhaps the reason why usage of the Cloud is still nascent in the enterprise is because of an increasing chorus of concerns being voiced about the usage of Cloud resources:

Cloud availability. Cloud security. Erosion of data integrity. Data replication and consistency issues. Potential loss of privacy. Lack of auditing and logging visibility. Potential for regulatory violations. Application sprawl & dependencies. Inappropriate usage of Services. Difficulty in managing intra-Cloud, inter-Cloud, and Cloud and non-Cloud interactions and resources. And that’s just the short list.

Do any of these issues sound familiar? To address these concerns, we have to return to a topic we’ve hashed over and again on the SOA side of things: governance. The above issues are primarily, if not exclusively, governance concerns. Thankfully, in many ways, we can apply what we’ve already learned, implemented, and invested in SOA Governance directly to issues of Cloud Governance. However, SOA and Cloud, while complementary, are not equivalent concepts. There are a wide range of patterns and usage considerations that are either new to the SOA Governance picture or ones that we were able to gloss over. To make Cloud computing a success, we need to make Cloud governance a success. So, what can we apply from our existing SOA governance knowledge, and what new things do companies need to consider?

Design-Time Cloud Governance
Designing Services to be deployed in the Cloud is much like designing Services for your own SOA infrastructure. In fact, that’s the point – most Cloud infrastructure providers, whether they are third-party Cloud providers like Amazon.com, or self-hosting Cloud infrastructure vendors, pitch the simplicity of Cloud Service development and deployment. However, within this simple mode lurks an insidious beast: if you thought it was hard to get your developers on the same page with regards to Service development when you owned your own SOA infrastructure and registry, try it when you have little visibility into the Service assets built by unknown developers. Like the early days of Web Services-centric SOA development, companies faced developers hacking out a wide array of incompatible “Just a Bunch of Web Services (JBOWS)” style Services thrown willy-nilly on the network, now to face the same issue in the Cloud. Of course, JBOWS doesn’t a SOA make, and neither does it a Cloud make.

Furthermore, with the simplicity of Cloud Service development, deployment, and consumption, developers can use Cloud capabilities undetected by IT management. It’s not unusual for a developer to dabble with an Amazon Machine Image (AMI) image for a project. Simply use a personal Amazon account and credit card and off you go! And to make matters worse, not everyone creating or consuming Cloud Services will even be from within the IT department. In a previous ZapFlash, I admonished IT to become more responsive to the business lest they become disintermediated. Don’t want your sales and marketing folks using Cloud services? Good luck trying to prevent that. I wish you even more luck trying to get visibility into what they are doing. Without adequate design-time Cloud governance, you’re up a croc-infested river without a paddle.

Making matters worse, SOA governance tools are often missing in the Cloud Computing environment. There’s no central point for a Cloud consumer / developer to view the Services and associated policies. Furthermore, design-time policies are easily enforceable when you have control over the development and QA process, but those are notoriously lacking in the Cloud environment. The result is that design-time policies are not consistently enforced on client side, if at all. Clearly, SOA governance vendors and best practices need to step up to the plate here and apply what we already know about SOA registries/repositories and governance processes to give the control that’s needed to avoid chaos and failure. This means that IT needs to provide the enterprise a unified, Service-centric view of IT environment across the corporate data center and the Cloud.

Run-Time Cloud Governance
Making matters worse are a collection of run-time and policy issues that are complicated by the fog of Cloud computing infrastructure. Data reside on systems you don’t control, which may be in other countries or legal jurisdictions. Furthermore, systems are unlikely to have the same security standards as you have internally. This means that your security policies need to be that much more granular. You can’t count on using perimeter-based approaches to secure your data or Service access. Every message needs to be scrutinized and you need to separate Service and data policy definition from enforcement. The Cloud doesn’t simplify security issues – it complicates and exacerbates them. However, there’s nothing new here. Solid SOA security approaches, such as those we espouse in our LZA Boot Camps have always pushed the “trust no one” approach, and the Cloud is simply another infrastructure for enforcing these already stringent security policies.

In addition, Cloud reliability is pretty much out of your hands. What happens if the Cloud Service is not available? What happens if the whole Cloud is unavailable? Now you don’t only need to think about Service failure, but whole Cloud failover. Will you have an internal SOA infrastructure ready to handle requests if the Cloud is unavailable? If you do, doesn’t that entirely kill the economic benefit of Cloud in the first place? An effective Cloud governance approach must provide the means to control, monitor, and adapt Services, both with on-premises and Cloud-based implementations, and needs to provide consistency across internal SOA & cloud SOA. You should not keep your business (or IT) Service consumers guessing as to whether a Service they are consuming is inside the network or in the Cloud. The whole point of loose coupling and the Cloud is location independence. To make this concept a reality, you need management and governance that spans SOA infrastructure boundaries.

Yet, there’s more to the runtime Cloud governance picture than management and policy enforcement. Data and compliance issues can be the most perplexing. Most third-party Cloud providers provide little, if any, means to do the sort of auditing and logging that’s demanded from most compliance and regulatory requirements, let alone your internal auditing needs. Companies need to intentionally compose all Cloud Services with internal auditing and logging Services deployed on the Cloud (or preferably) local network, negotiate better access to logging data from the Cloud provider, and implement policies for Cloud Service use to control leakage of private information to the Cloud. Furthermore, companies need to implement usage policies to control the excessive, and potentially expensive, use of Cloud Services in unauthorized ways.

One way to solve this problem is through the use of network intermediaries and gateways that keep a close eye on traffic between the corporate network and the Cloud. Intermediaries can scan cloud-bound data for leakage of private or company-sensitive data, filter traffic sent up to cloud platforms, apply access policies to Cloud Services, provide visibility into authorized and unauthorized usage of Cloud Services, and prevent unsanctioned use of Cloud Services by internal staff, among other benefits. Of course, these benefits do not extend to intra-Cloud Service consumption, but can provide a lowest common denominator of runtime governance required by the organization.

Change Management and Cloud Governance
Finally, the last major Cloud governance issue is one of change management. How do you prevent versioning of Cloud Services or even Cloud infrastructure from having significant repercussions? Proper Cloud governance techniques need to lift a page from the SOA governance book and deal with versioning at all levels: Service implementation, contract, process, infrastructure, policy, data, and schema. If you can deal with these inside the network and in the Cloud, you’re golden. If you have any gaps, you’re just itching for trouble.

But the biggest bugaboo here is testing. There simply aren’t many good approaches for testing a Cloud-implemented Service other than to do it in the live, Cloud “production” environment. Indeed, we usually get rotten tomatoes thrown at us when we teach in our LZA boot camps that it is increasingly ineffective to test SOA implementations in a QA environment as the SOA implementation becomes more mature, but now we just get blank stares when we ask if there’s such thing as a Cloud “QA” environment. Of course not. The same approach applies to SOA testing as Cloud testing: test your Services in a live environment by making sure that failures are self-contained and that automated fall-back mechanisms exist. If it can work in your own SOA environment, it can work in the Cloud… and vice-versa.

The ZapThink Take
SOA is an architectural approach and philosophy guiding the development and management of applications. Cloud is a deployment and operational model suited to host certain types of Services within an existing SOA initiative. The Cloud concept within the SOA context is one of Service infrastructure, implementation, composition, and consumption. The SOA concept within the Cloud context is one of application-level abstraction of Cloud resources. Therefore, think of Cloud Governance as evolved SOA governance.

Companies with a proper SOA governance hat on should have few problems as they move to increasingly utilize Cloud services, but those who have failed to take either an architectural perspective on Cloud or have glossed over SOA governance issues will be forced to quickly get a SOA perspective to get things right. In order for these both to work together, companies need to have a consistent SOA and Cloud Governance strategy. To address these issues, ZapThink recently launched our SOA and Cloud Governance training & certification workshops. By addressing each of the issues and potential solutions discussed above, we plan to dive deeper than anyone else has into this topic. We hope to see you there and continue the conversation and movement to SOA and Cloud success!

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@MicroservicesExpo Stories
SYS-CON Events announced today that Alert Logic, the leading provider of Security-as-a-Service solutions for the cloud, has been named “Bronze Sponsor” of SYS-CON's 17th International Cloud Expo® and DevOps Summit 2015 Silicon Valley, which will take place November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Alert Logic provides Security-as-a-Service for on-premises, cloud, and hybrid IT infrastructures, delivering deep security insight and continuous protection for cust...
The causality question behind Conway’s Law is less about how changing software organizations can lead to better software, but rather how companies can best leverage changing technology in order to transform their organizations. Hints at how to answer this question surprisingly come from the world of devops – surprising because the focus of devops is ostensibly on building and deploying better software more quickly. Be that as it may, there’s no question that technology change is a primary fac...
The 4th International Internet of @ThingsExpo, co-located with the 17th International Cloud Expo - to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA - announces that its Call for Papers is open. The Internet of Things (IoT) is the biggest idea since the creation of the Worldwide Web more than
Agile, which started in the development organization, has gradually expanded into other areas downstream - namely IT and Operations. Teams – then teams of teams – have streamlined processes, improved feedback loops and driven a much faster pace into IT departments which have had profound effects on the entire organization. In his session at DevOps Summit, Anders Wallgren, Chief Technology Officer of Electric Cloud, will discuss how DevOps and Continuous Delivery have emerged to help connect dev...
This week we're attending SYS-CON Event's DevOps Summit in New York City. It's a great conference and energy behind DevOps is enormous. Thousands of attendees from every company you can imagine are focused on automation, the challenges of DevOps, and how to bring greater agility to software delivery. But, even with the energy behind DevOps there's something missing from the movement. For all the talk of deployment automation, continuous integration, and cloud infrastructure I'm still not se...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
SYS-CON Events announced today that Harbinger Systems will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Harbinger Systems is a global company providing software technology services. Since 1990, Harbinger has developed a strong customer base worldwide. Its customers include software product companies ranging from hi-tech start-ups in Silicon Valley to leading product companies in the US a...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the ...
DevOps Summit, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development...
SYS-CON Events announced today that ProfitBricks, the provider of painless cloud infrastructure, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. ProfitBricks is the IaaS provider that offers a painless cloud experience for all IT users, with no learning curve. ProfitBricks boasts flexible cloud servers and networking, an integrated Data Center Designer tool for visual control over the...
The cloud has transformed how we think about software quality. Instead of preventing failures, we must focus on automatic recovery from failure. In other words, resilience trumps traditional quality measures. Continuous delivery models further squeeze traditional notions of quality. Remember the venerable project management Iron Triangle? Among time, scope, and cost, you can only fix two or quality will suffer. Only in today's DevOps world, continuous testing, integration, and deployment upend...
SYS-CON Events announced today that JFrog, maker of Artifactory, the popular Binary Repository Manager, will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based in California, Israel and France, founded by longtime field-experts, JFrog, creator of Artifactory and Bintray, has provided the market with the first Binary Repository solution and a software distribution social platform.
17th Cloud Expo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises ar...
DevOps tends to focus on the relationship between Dev and Ops, putting an emphasis on the ops and application infrastructure. But that’s changing with microservices architectures. In her session at DevOps Summit, Lori MacVittie, Evangelist for F5 Networks, will focus on how microservices are changing the underlying architectures needed to scale, secure and deliver applications based on highly distributed (micro) services and why that means an expansion into “the network” for DevOps.
"We got started as search consultants. On the services side of the business we have help organizations save time and save money when they hit issues that everyone more or less hits when their data grows," noted Otis Gospodnetić, Founder of Sematext, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 17th International Cloud Expo®, which will take place on November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet condit...
In his session at 16th Cloud Expo, Simone Brunozzi, VP and Chief Technologist of Cloud Services at VMware, reviewed the changes that the cloud computing industry has gone through over the last five years and shared insights into what the next five will bring. He also chronicled the challenges enterprise companies are facing as they move to the public cloud. He delved into the "Hybrid Cloud" space and explained why every CIO should consider ‘hybrid cloud' as part of their future strategy to achie...
Containers are revolutionizing the way we deploy and maintain our infrastructures, but monitoring and troubleshooting in a containerized environment can still be painful and impractical. Understanding even basic resource usage is difficult – let alone tracking network connections or malicious activity. In his session at DevOps Summit, Gianluca Borello, Sr. Software Engineer at Sysdig, will cover the current state of the art for container monitoring and visibility, including pros / cons and liv...
Containers are changing the security landscape for software development and deployment. As with any security solutions, security approaches that work for developers, operations personnel and security professionals is a requirement. In his session at DevOps Summit, Kevin Gilpin, CTO and Co-Founder of Conjur, will discuss various security considerations for container-based infrastructure and related DevOps workflows.