Welcome!

Microservices Expo Authors: Jason Bloomberg, Elizabeth White, Liz McMillan, Pat Romanski, Kevin Jackson

Related Topics: Microservices Expo

Microservices Expo: Article

Snow White's FIRST Web Services

A cautionary fable for IT management

One day, Snow White decided to deploy a Web service. Her IT dwarves immediately went to work and were pleasantly surprised to find how easy it was to create the Web service using modern development tools. To Snow White's development dwarves, it almost seemed like magic.

Since Snow White's cottage was a Java shop, they deployed the Web service in their J2EE application server, but they could have just as easily used .NET and it would have seemed just as magical - maybe even more so, given the wealth and power of the Wizard of Seattle.

Since Snow White had lived in a palace with a wicked witch, she was no stranger to corporate culture in general and risk aversion in particular. Snow White also had clear goals. She had wisely eschewed the use of magic mirrors, and tended to favor a few industry analysts along with a handful of software vendors who seemed both willing and able to partner with her for the long haul. She wanted to achieve a more flexible and agile IT infrastructure by gradually moving IT to a service-oriented architecture (SOA). Snow White understood that you can't build a robust SOA for your enterprise based on a foundation of unmanaged and unsecured Web services. She wisely instructed her IT dwarves to make sure that this first production Web service was manageable and secure before they implemented any other Web services.

Chapter One - The Stage Is Set
Security wasn't difficult to enable for their first Web service. Their application server provided a magical runtime environment that allowed developers to specify security declaratively within an XML file or using a pretty GUI. Her staff used this magic to make sure that their Web service, using WS-Security, would only work with client applications that supported XML Encryption and XML Signature. The identity of her customers was wisely required to be passed as a security token within the WS-Security element of the SOAP messages that she received. There was no need for federated identity management at this early stage since the cottage directory server had the IDs of all their customers firmly in hand, but they had a good plan to expand, as needed, toward a wider community of distributed identities in the future.

With their experience in building and securing a Web service behind them, Snow White's development dwarves next recommended the purchase of a Web services management product to monitor the availability of their Web services. As developers, they were particularly pleased that this product could manage a Web service without having to change a line of code. Also, the product could automatically discover and manage new Web services as needed. Automatic discovery was particularly important, since they were concerned about rogue Web services being deployed in the enterprise. Certain office productivity products had made this almost too easy, even for non-programmers. Of course, this Web services management product could also report on important service metrics and help make sure that the service was responsive and reliable.

Everything was tidy and in place, and Snow White felt safe, secure, and highly profitable in her little house in the woods. Everything seemed fine until one day the head IT dwarf (who used to be Sneezy before he found allergy medication) found his boss on the floor weeping. Six important customers had complained in the last hour about poor performance on the Web service. "How could this have happened?" demanded the tearful Snow White, "I thought you said that our Web services management software would warn us of potential problems!"

Chapter Two - What Went Wrong?
In truth, there were a number of IT management, development, and product evaluation issues that had contributed to Snow White's tears. One important issue was the ineffective and superficial integration between their existing enterprise management system and their new Web services management software. The operations staff was running the entire IT infrastructure (a multitude of hardware and software entities such as operating systems, application servers, messaging middleware, routers, networks, databases, networked storage, and so on) using an enterprise management solution from a different vendor than the one who had provided the Web services management software. This decision had unintended consequences.

Their Web services management software had correctly warned them that their Web service was performing poorly. So, from the perspective of the Web services developers, the Web services management software had performed admirably - reporting a wide variety of metrics that are typically of concern to the operations staff. It had even managed to send its messages to the enterprise management system console. But, the Web services management product used different terminology and had a different user interface than the enterprise management system. Despite some efforts to train some operations staff in the particulars of both management systems, in a crisis the staff was confused and frustrated. They found it difficult to work with two different management systems.

In terms of internal Web services expertise, Snow White had been forced to rely almost exclusively on the development organization since they had been the first to work with Web services. In retrospect, Snow White should have driven greater participation from her operations staff in the product evaluation - providing the training and consultative resources that they would need to better manage the issues from their perspective.

Web services management software is quite naturally focused on the higher-level specifics of Web services, such as messages and service descriptions (SOAP and WSDL). While such software can often identify a troublesome Web service even in complex aggregations of cooperating Web services, it quite properly lacks any root cause-analysis capability down to the IT infrastructure level. In other words, it isn't intended to trace the underlying cause of a problem down to a particular IT software or hardware entity, like a database or router. The underlying business logic and the supporting IT infrastructure are invisible to the Web services management software. So, in the case of Snow White's Web service performance problem, the operations staff had tried to correlate warning messages sent by the Web services management software with the large number of warning and error management messages related to underlying IT infrastructure and business logic reported by the enterprise management solution, but the lack of deep integration between the two management systems made such work tedious, time consuming, and error prone.

In retrospect, Snow White's strategy and evaluation team would have benefited from the understanding that management cannot be done piecemeal. As part of a comprehensive plan to properly manage new technology stacks such as Web services, on-demand computing, and Grid, the team should have considered the long-term interoperability, training, overhead, and partnership challenges that derived from the use of multiple management solutions. The IT dwarves had selected new Web services management software that was unlikely to enjoy a more useful level of integration with their enterprise software solution in the future. Were they prepared to deal with the added cost and complexity? Had they investigated Web services management products from their own enterprise management vendor? What was the current level of integration being offered by that vendor and, more importantly, what was the enterprise management software vendor's commitment to deeper, more useful levels of integration in future releases?

Of equal concern, the security officer had been absent from discussions concerning Web services management because of the common, but mistaken, notion that security and management are two entirely different concerns. These days, security management increasingly interacts with traditional areas of management such as systems and life-cycle management. The interoperability, visibility, and exposure provided by existing and emerging Web services standards are creating ever more interdependence between management and security. Consider the simple example of a denial-of-service attack on a Web service. Is this a Web services security issue (the enterprise is clearly under assault) or is this a Web services management issue (the service has experienced a change in utilization and SOAP message traffic)? The answer, ultimately, is both.

Many organizations are still in the early adopter phase of Web services use and might justifiably defer consideration of the inevitable convergence of security with other management concerns in the short term. However, Snow White's admirable commitment to an SOA and the deployment of her first production Web service clearly demonstrate that Snow White's strategy team should have had a long-term partnership and deployment plan in place that would allow them to steadily evolve their management and security operations toward a cohesive whole, as needed.

The absence of proper input by the security officer during the planning and evaluation phase also meant that enterprise-level security policy played a surprisingly small role in the decision by the development dwarves to utilize the Web services security functionality provided by the application server. While it is often true that platform-provided security can provide a relatively quick and inexpensive way to comply with enterprise Web services security and management concerns, this is not always the wisest course of action.

Tying security to the Web services platform can make it difficult to centrally administer and maintain policy in a heterogeneous enterprise. Even if the enterprise has standardized on one application server, there are often many other legacy processes and data sources that are not able to leverage the security and management capabilities provided by the Web services platform. In any heterogeneous SOA, integrated, enterprise-level Web services security and management solutions that are independent of the Web services platform may be the only way to ensure that all Web services, not just those deployed on the application server, are fully compliant with corporate policy and can be centrally monitored.

Conclusion
What conclusions can we draw from this IT management fable? Snow White's problem wasn't a poisoned apple (Snow White was not the kind of CxO to fall for that old trick!). It appears that even well-run IT organizations like Snow White's, with a clear vision of where they want to go, can be surprised by the complexity and challenges of managing and securing Web services as part of an SOA. The moral of the story is simple and of value to IT shops in enterprise cottages everywhere. To be useful in the long term, Web services management needs to be comprehensive and holistic - a carefully mixed potion of true Web services management genuinely integrated with IT infrastructure management. Also, in terms of implementing security for Web services, an important part of the total management equation, IT organizations would do well to look beyond the security needs of any particular Web service. Rather, they should begin to formulate a more comprehensive security and management policy and mechanisms that extend beyond any one Web services-enabled platform to serve the enterprise and the SOA as a whole. With these lessons learned, Snow White and her IT dwarves should live happily ever after.

More Stories By Paul Lipton

Paul Lipton is VP of Industry Standards and Open Source at CA Technologies. He coordinates CA Technologies’ strategy and participation in those areas while also functioning as part of CA Labs. He is co-chair of the OASIS TOSCA Technical Committee, and also serves on the Board of Directors of the open source Eclipse Foundation, as well as both the Object Management Group and the Distributed Management Task Force in addition to other significant technical and leadership roles in many leading industry organizations such as the OASIS, W3C and INCITS.

Lipton is also an approved US delegate to the international standards organization ISO, as a member of the subcommittee focused on international cloud standards. He is a founding member of the CA Council for Technical Excellence where he leads a team focused on emerging technologies, a Java Champion, and Microsoft MVP.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@MicroservicesExpo Stories
If you cannot explicitly articulate how investing in a new technology, changing the approach or re-engineering the business process will help you achieve your customer-centric vision of the future in direct and measurable ways, you probably shouldn’t be doing it. At Intellyx, we spend a lot of time talking to technology vendors. In our conversations, we explore emerging new technologies that are either disrupting the way enterprise organizations work or that help enable those organizations to ...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
There's a lot to gain from cloud computing, but success requires a thoughtful and enterprise focused approach. Cloud computing decouples data and information from the infrastructure on which it lies. A process that is a LOT more involved than dragging some folders from your desktop to a shared drive. Cloud computing as a mission transformation activity, not a technological one. As an organization moves from local information hosting to the cloud, one of the most important challenges is addressi...
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
For most organizations, the move to hybrid cloud is now a question of when, not if. Fully 82% of enterprises plan to have a hybrid cloud strategy this year, according to Infoholic Research. The worldwide hybrid cloud computing market is expected to grow about 34% annually over the next five years, reaching $241.13 billion by 2022. Companies are embracing hybrid cloud because of the many advantages it offers compared to relying on a single provider for all of their cloud needs. Hybrid offers bala...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Companies have always been concerned that traditional enterprise software is slow and complex to install, often disrupting critical and time-sensitive operations during roll-out. With the growing need to integrate new digital technologies into the enterprise to transform business processes, this concern has become even more pressing. A 2016 Panorama Consulting Solutions study revealed that enterprise resource planning (ERP) projects took an average of 21 months to install, with 57 percent of t...
Microservices are increasingly used in the development world as developers work to create larger, more complex applications that are better developed and managed as a combination of smaller services that work cohesively together for larger, application-wide functionality. Tools such as Service Fabric are rising to meet the need to think about and build apps using a piece-by-piece methodology that is, frankly, less mind-boggling than considering the whole of the application at once. Today, we'll ...
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to ma...
Hybrid IT is today’s reality, and while its implementation may seem daunting at times, more and more organizations are migrating to the cloud. In fact, according to SolarWinds 2017 IT Trends Index: Portrait of a Hybrid IT Organization 95 percent of organizations have migrated crucial applications to the cloud in the past year. As such, it’s in every IT professional’s best interest to know what to expect.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
Containers, microservices and DevOps are all the rage lately. You can read about how great they are and how they’ll change your life and the industry everywhere. So naturally when we started a new company and were deciding how to architect our app, we went with microservices, containers and DevOps. About now you’re expecting a story of how everything went so smoothly, we’re now pushing out code ten times a day, but the reality is quite different.
In the decade following his article, cloud computing further cemented Carr’s perspective. Compute, storage, and network resources have become simple utilities, available at the proverbial turn of the faucet. The value they provide is immense, but the cloud playing field is amazingly level. Carr’s quote above presaged the cloud to a T. Today, however, we’re in the digital era. Mark Andreesen’s ‘software is eating the world’ prognostication is coming to pass, as enterprises realize they must be...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
Colocation is a central pillar of modern enterprise infrastructure planning because it provides greater control, insight, and performance than managed platforms. In spite of the inexorable rise of the cloud, most businesses with extensive IT hardware requirements choose to host their infrastructure in colocation data centers. According to a recent IDC survey, more than half of the businesses questioned use colocation services, and the number is even higher among established businesses and busin...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...