Click here to close now.




















Welcome!

Microservices Expo Authors: Liz McMillan, Elizabeth White, SmartBear Blog, Pat Romanski, Ruxit Blog

Related Topics: @CloudExpo, Microservices Expo, IBM Cloud

@CloudExpo: Article

Cloud Governance: Something Old, Something New, Something Borrowed…

How do you apply SOA Governance best practices to Cloud Governance?

As we predicted earlier in the year, Cloud computing is starting to take hold, especially if you believe the marketing literature of vendors and consulting firms. Yet, we are seeing an increasing number of Cloud success stories, ranging from simplistic consumption of utility Services and offloading of compute resources to the sort of application and process clouds we discussed in a previous ZapFlash. Perhaps the reason why usage of the Cloud is still nascent in the enterprise is because of an increasing chorus of concerns being voiced about the usage of Cloud resources:

Cloud availability. Cloud security. Erosion of data integrity. Data replication and consistency issues. Potential loss of privacy. Lack of auditing and logging visibility. Potential for regulatory violations. Application sprawl & dependencies. Inappropriate usage of Services. Difficulty in managing intra-Cloud, inter-Cloud, and Cloud and non-Cloud interactions and resources. And that’s just the short list.

Do any of these issues sound familiar? To address these concerns, we have to return to a topic we’ve hashed over and again on the SOA side of things: governance. The above issues are primarily, if not exclusively, governance concerns. Thankfully, in many ways, we can apply what we’ve already learned, implemented, and invested in SOA Governance directly to issues of Cloud Governance. However, SOA and Cloud, while complementary, are not equivalent concepts. There are a wide range of patterns and usage considerations that are either new to the SOA Governance picture or ones that we were able to gloss over. To make Cloud computing a success, we need to make Cloud governance a success. So, what can we apply from our existing SOA governance knowledge, and what new things do companies need to consider?

Design-Time Cloud Governance
Designing Services to be deployed in the Cloud is much like designing Services for your own SOA infrastructure. In fact, that’s the point – most Cloud infrastructure providers, whether they are third-party Cloud providers like Amazon.com, or self-hosting Cloud infrastructure vendors, pitch the simplicity of Cloud Service development and deployment. However, within this simple mode lurks an insidious beast: if you thought it was hard to get your developers on the same page with regards to Service development when you owned your own SOA infrastructure and registry, try it when you have little visibility into the Service assets built by unknown developers. Like the early days of Web Services-centric SOA development, companies faced developers hacking out a wide array of incompatible “Just a Bunch of Web Services (JBOWS)” style Services thrown willy-nilly on the network, now to face the same issue in the Cloud. Of course, JBOWS doesn’t a SOA make, and neither does it a Cloud make.

Furthermore, with the simplicity of Cloud Service development, deployment, and consumption, developers can use Cloud capabilities undetected by IT management. It’s not unusual for a developer to dabble with an Amazon Machine Image (AMI) image for a project. Simply use a personal Amazon account and credit card and off you go! And to make matters worse, not everyone creating or consuming Cloud Services will even be from within the IT department. In a previous ZapFlash, I admonished IT to become more responsive to the business lest they become disintermediated. Don’t want your sales and marketing folks using Cloud services? Good luck trying to prevent that. I wish you even more luck trying to get visibility into what they are doing. Without adequate design-time Cloud governance, you’re up a croc-infested river without a paddle.

Making matters worse, SOA governance tools are often missing in the Cloud Computing environment. There’s no central point for a Cloud consumer / developer to view the Services and associated policies. Furthermore, design-time policies are easily enforceable when you have control over the development and QA process, but those are notoriously lacking in the Cloud environment. The result is that design-time policies are not consistently enforced on client side, if at all. Clearly, SOA governance vendors and best practices need to step up to the plate here and apply what we already know about SOA registries/repositories and governance processes to give the control that’s needed to avoid chaos and failure. This means that IT needs to provide the enterprise a unified, Service-centric view of IT environment across the corporate data center and the Cloud.

Run-Time Cloud Governance
Making matters worse are a collection of run-time and policy issues that are complicated by the fog of Cloud computing infrastructure. Data reside on systems you don’t control, which may be in other countries or legal jurisdictions. Furthermore, systems are unlikely to have the same security standards as you have internally. This means that your security policies need to be that much more granular. You can’t count on using perimeter-based approaches to secure your data or Service access. Every message needs to be scrutinized and you need to separate Service and data policy definition from enforcement. The Cloud doesn’t simplify security issues – it complicates and exacerbates them. However, there’s nothing new here. Solid SOA security approaches, such as those we espouse in our LZA Boot Camps have always pushed the “trust no one” approach, and the Cloud is simply another infrastructure for enforcing these already stringent security policies.

In addition, Cloud reliability is pretty much out of your hands. What happens if the Cloud Service is not available? What happens if the whole Cloud is unavailable? Now you don’t only need to think about Service failure, but whole Cloud failover. Will you have an internal SOA infrastructure ready to handle requests if the Cloud is unavailable? If you do, doesn’t that entirely kill the economic benefit of Cloud in the first place? An effective Cloud governance approach must provide the means to control, monitor, and adapt Services, both with on-premises and Cloud-based implementations, and needs to provide consistency across internal SOA & cloud SOA. You should not keep your business (or IT) Service consumers guessing as to whether a Service they are consuming is inside the network or in the Cloud. The whole point of loose coupling and the Cloud is location independence. To make this concept a reality, you need management and governance that spans SOA infrastructure boundaries.

Yet, there’s more to the runtime Cloud governance picture than management and policy enforcement. Data and compliance issues can be the most perplexing. Most third-party Cloud providers provide little, if any, means to do the sort of auditing and logging that’s demanded from most compliance and regulatory requirements, let alone your internal auditing needs. Companies need to intentionally compose all Cloud Services with internal auditing and logging Services deployed on the Cloud (or preferably) local network, negotiate better access to logging data from the Cloud provider, and implement policies for Cloud Service use to control leakage of private information to the Cloud. Furthermore, companies need to implement usage policies to control the excessive, and potentially expensive, use of Cloud Services in unauthorized ways.

One way to solve this problem is through the use of network intermediaries and gateways that keep a close eye on traffic between the corporate network and the Cloud. Intermediaries can scan cloud-bound data for leakage of private or company-sensitive data, filter traffic sent up to cloud platforms, apply access policies to Cloud Services, provide visibility into authorized and unauthorized usage of Cloud Services, and prevent unsanctioned use of Cloud Services by internal staff, among other benefits. Of course, these benefits do not extend to intra-Cloud Service consumption, but can provide a lowest common denominator of runtime governance required by the organization.

Change Management and Cloud Governance
Finally, the last major Cloud governance issue is one of change management. How do you prevent versioning of Cloud Services or even Cloud infrastructure from having significant repercussions? Proper Cloud governance techniques need to lift a page from the SOA governance book and deal with versioning at all levels: Service implementation, contract, process, infrastructure, policy, data, and schema. If you can deal with these inside the network and in the Cloud, you’re golden. If you have any gaps, you’re just itching for trouble.

But the biggest bugaboo here is testing. There simply aren’t many good approaches for testing a Cloud-implemented Service other than to do it in the live, Cloud “production” environment. Indeed, we usually get rotten tomatoes thrown at us when we teach in our LZA boot camps that it is increasingly ineffective to test SOA implementations in a QA environment as the SOA implementation becomes more mature, but now we just get blank stares when we ask if there’s such thing as a Cloud “QA” environment. Of course not. The same approach applies to SOA testing as Cloud testing: test your Services in a live environment by making sure that failures are self-contained and that automated fall-back mechanisms exist. If it can work in your own SOA environment, it can work in the Cloud… and vice-versa.

The ZapThink Take
SOA is an architectural approach and philosophy guiding the development and management of applications. Cloud is a deployment and operational model suited to host certain types of Services within an existing SOA initiative. The Cloud concept within the SOA context is one of Service infrastructure, implementation, composition, and consumption. The SOA concept within the Cloud context is one of application-level abstraction of Cloud resources. Therefore, think of Cloud Governance as evolved SOA governance.

Companies with a proper SOA governance hat on should have few problems as they move to increasingly utilize Cloud services, but those who have failed to take either an architectural perspective on Cloud or have glossed over SOA governance issues will be forced to quickly get a SOA perspective to get things right. In order for these both to work together, companies need to have a consistent SOA and Cloud Governance strategy. To address these issues, ZapThink recently launched our SOA and Cloud Governance training & certification workshops. By addressing each of the issues and potential solutions discussed above, we plan to dive deeper than anyone else has into this topic. We hope to see you there and continue the conversation and movement to SOA and Cloud success!

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@MicroservicesExpo Stories
SYS-CON Events announced today that DataClear Inc. will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. The DataClear ‘BlackBox’ is the only solution that moves your PC, browsing and data out of the United States and away from prying (and spying) eyes. Its solution automatically builds you a clean, on-demand, virus free, new virtual cloud based PC outside of the United States, and wipes it clean...
It’s been proven time and time again that in tech, diversity drives greater innovation, better team productivity and greater profits and market share. So what can we do in our DevOps teams to embrace diversity and help transform the culture of development and operations into a true “DevOps” team? In her session at DevOps Summit, Stefana Muller, Director, Product Management – Continuous Delivery at CA Technologies, answered that question citing examples, showing how to create opportunities for ...
In his session at 17th Cloud Expo, Ernest Mueller, Product Manager at Idera, will explain the best practices and lessons learned for tracking and optimizing costs while delivering a cloud-hosted service. He will describe a DevOps approach where the applications and systems work together to track usage, model costs in a granular fashion, and make smart decisions at runtime to minimize costs. The trickier parts covered include triggering off the right metrics; balancing resilience and redundancy ...
Culture is the most important ingredient of DevOps. The challenge for most organizations is defining and communicating a vision of beneficial DevOps culture for their organizations, and then facilitating the changes needed to achieve that. Often this comes down to an ability to provide true leadership. As a CIO, are your direct reports IT managers or are they IT leaders? The hard truth is that many IT managers have risen through the ranks based on their technical skills, not their leadership ab...
Whether you like it or not, DevOps is on track for a remarkable alliance with security. The SEC didn’t approve the merger. And your boss hasn’t heard anything about it. Yet, this unruly triumvirate will soon dominate and deliver DevSecOps faster, cheaper, better, and on an unprecedented scale. In his session at DevOps Summit, Frank Bunger, VP of Customer Success at ScriptRock, will discuss how this cathartic moment will propel the DevOps movement from such stuff as dreams are made on to a prac...
Several years ago, I was a developer in a travel reservation aggregator. Our mission was to pull flight and hotel data from a bunch of cryptic reservation platforms, and provide it to other companies via an API library - for a fee. That was before companies like Expedia standardized such things. We started with simple methods like getFlightLeg() or addPassengerName(), each performing a small, well-understood function. But our customers wanted bigger, more encompassing services that would "do ...
SYS-CON Events announced today that Pythian, a global IT services company specializing in helping companies leverage disruptive technologies to optimize revenue-generating systems, has been named “Bronze Sponsor” of SYS-CON's 17th Cloud Expo, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Founded in 1997, Pythian is a global IT services company that helps companies compete by adopting disruptive technologies such as cloud, Big Data, advance...
What does “big enough” mean? It’s sometimes useful to argue by reductio ad absurdum. Hello, world doesn’t need to be broken down into smaller services. At the other extreme, building a monolithic enterprise resource planning (ERP) system is just asking for trouble: it’s too big, and it needs to be decomposed.
Early in my DevOps Journey, I was introduced to a book of great significance circulating within the Web Operations industry titled The Phoenix Project. (You can read our review of Gene’s book, if interested.) Written as a novel and loosely based on many of the same principles explored in The Goal, this book has been read and referenced by many who have adopted DevOps into their continuous improvement and software delivery processes around the world. As I began planning my travel schedule last...
Docker containerization is increasingly being used in production environments. How can these environments best be monitored? Monitoring Docker containers as if they are lightweight virtual machines (i.e., monitoring the host from within the container), with all the common metrics that can be captured from an operating system, is an insufficient approach. Docker containers can’t be treated as lightweight virtual machines; they must be treated as what they are: isolated processes running on hosts....
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
SYS-CON Events announced today that G2G3 will exhibit at SYS-CON's @DevOpsSummit Silicon Valley, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. Based on a collective appreciation for user experience, design, and technology, G2G3 is uniquely qualified and motivated to redefine how organizations and people engage in an increasingly digital world.
SYS-CON Events announced today the Containers & Microservices Bootcamp, being held November 3-4, 2015, in conjunction with 17th Cloud Expo, @ThingsExpo, and @DevOpsSummit at the Santa Clara Convention Center in Santa Clara, CA. This is your chance to get started with the latest technology in the industry. Combined with real-world scenarios and use cases, the Containers and Microservices Bootcamp, led by Janakiram MSV, a Microsoft Regional Director, will include presentations as well as hands-on...
The pricing of tools or licenses for log aggregation can have a significant effect on organizational culture and the collaboration between Dev and Ops teams. Modern tools for log aggregation (of which Logentries is one example) can be hugely enabling for DevOps approaches to building and operating business-critical software systems. However, the pricing of an aggregated logging solution can affect the adoption of modern logging techniques, as well as organizational capabilities and cross-team ...
In today's digital world, change is the one constant. Disruptive innovations like cloud, mobility, social media, and the Internet of Things have reshaped the market and set new standards in customer expectations. To remain competitive, businesses must tap the potential of emerging technologies and markets through the rapid release of new products and services. However, the rigid and siloed structures of traditional IT platforms and processes are slowing them down – resulting in lengthy delivery ...
Skeuomorphism usually means retaining existing design cues in something new that doesn’t actually need them. However, the concept of skeuomorphism can be thought of as relating more broadly to applying existing patterns to new technologies that, in fact, cry out for new approaches. In his session at DevOps Summit, Gordon Haff, Senior Cloud Strategy Marketing and Evangelism Manager at Red Hat, discussed why containers should be paired with new architectural practices such as microservices rathe...
Any Ops team trying to support a company in today’s cloud-connected world knows that a new way of thinking is required – one just as dramatic than the shift from Ops to DevOps. The diversity of modern operations requires teams to focus their impact on breadth vs. depth. In his session at DevOps Summit, Adam Serediuk, Director of Operations at xMatters, Inc., will discuss the strategic requirements of evolving from Ops to DevOps, and why modern Operations has begun leveraging the “NoOps” approa...
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
DevOps has traditionally played important roles in development and IT operations, but the practice is quickly becoming core to other business functions such as customer success, business intelligence, and marketing analytics. Modern marketers today are driven by data and rely on many different analytics tools. They need DevOps engineers in general and server log data specifically to do their jobs well. Here’s why: Server log files contain the only data that is completely full and accurate in th...
The Microservices architectural pattern promises increased DevOps agility and can help enable continuous delivery of software. This session is for developers who are transforming existing applications to cloud-native applications, or creating new microservices style applications. In his session at DevOps Summit, Jim Bugwadia, CEO of Nirmata, will introduce best practices, patterns, challenges, and solutions for the development and operations of microservices style applications. He will discuss ...