Take the BriefingsDirect middleware/ESB survey now.
SpringSource made headlines last week when VMware scooped up the Java infrastructure and management firm for $420 million in a move to breed easier cloud migration. Now, the spotlight is on the San Mateo, Calif. company once again as it leverages one of its own recent cloud industry acquisitions.
On Wednesday, SpringSource rolled out a beta of Cloud Foundry, an enterprise Java cloud offering that lets developers deploy and manage Spring, Grails and Java applications in a public cloud environment.
SpringSource is essentially offering a self-service, pay-as-you-go, public cloud deployment platform on which to build, run and manage the entire Java Web application lifecycle. Nice! Cloud Foundry promises to launch and automatically scale Java Web applications in the cloud with a few clicks of a mouse.
This is the clear path for open source and Java developers to the cloud. Microsoft will have its hands full just keeping the .NET developers and operators on the farm, so to speak.
The ability to develop Java applications in the cloud quickly with quality only further eases the deployment of Java applications into cloud containers, either internal, external or both. This must be VMware's thinking ... get the developers on board, and the operators will follow. It's worked before. Only this time it's the virtualized container that's the target -- the cloud OS, rather than the platform OS. And it's the cloud container that now benefits from the tools-to-target synergy.
This also makes moot the rip and replace argument against changing from installed platforms (like Windows). When you're moving the runtime up into a cloud, you don't care what the underlying platform is. You want to be able to develop well, and then get your operations requirements met on on performance, security and cost.
Because these are Java applications, this will appeal to the mission-critical apps set along those requirements. When enterprise CIOs begin to gain the insights into IT financial management of their traditional development and deployment strategies -- and then compare and constrast to these cloud lifecycle methods and costs -- the worm then turns.
The vision we're seeing from VMware and others speaks to dramatically cutting the total and ongoing cost of IT when the full development and deployment equation is factored. It's about Moore's Law moving off of the silicon and up and into the clouds.
Rod Johnson, CEO of SpringSource, is bragging about the benefits of Cloud Foundry:
“Unlike competitive offerings, our cloud service does not come with compromises; companies can deploy full-feature Java Web applications, built using SpringSource tools. C-level technology executives can seamlessly add cloud computing as a strategic option as part of their development roadmap.”
SpringSource is once again demonstrating the power of open source in the cloud by adding another piece of the “Java in the cloud” puzzle. Cloud Foundry plays off the strength of SpringSource core technologies. But SpringSource is also leveraging technologies from other developers to flesh out the big picture.
For example, SpringSource will rely on Hyperic CloudStatus to gain cloud health monitoring data. SpringSource will also tap Hyperic HQ-powered functionality to offer insights into application performance and service levels. Hyperic HQ works with Cloud Foundry’s technology to automatically scale cloud deployments by understanding how applications are working and interacting with other IT resources.
The VMware Connection
Of course, SpringSource holds several pieces of the “Java in the cloud” puzzle internally. Beyond Cloud Foundry, there's SpringSource’s tc Server. Based on Apache Tomcat, it provides a lightweight container for deploying Java Web applications in the cloud. SpringSource is also ramping up quickly to make its Tool Suite available within the next 90 days. The Tool Suite will offer direct deployment of Java applications—through Cloud Foundry—into the public cloud.
How does this fit into VMware? SpringSource plans to bring Cloud Foundry's capabilities to VMware's vCloud service provider partners and internal VMware vSphere environments to offer infrastructure choice, deployment flexibility and enterprise services.
SpringSource will offer the same capabilities to Amazon Web Services, and plans to enrich Cloud Foundry’s capabilities with enhanced cloud management features and new services in the coming months.
Take the BriefingsDirect middleware/ESB survey now.
BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached here and here.
Thursday, August 20, 2009
Tuesday, August 18, 2009
BriefingsDirect analysts discuss Software AG-IDS Scheer acquisition and lackluster prospects for Google Chrome OS
Listen to the podcast. Download or view a full transcript. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Take the BriefingsDirect middleware/ESB survey now.
Welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 44. Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of July 13, 2009, centers on Software AG's bid to acquire IDS Scheer for about $320 million. We'll look into why this could be a big business process management (BPM) deal, not only for Software AG, but also for the service-oriented architecture (SOA) competitive landscape that is fast moving, as we saw from Oracle's recent acquisition of Sun Microsystems.
Another topic for our panel this week is the seemingly inevitable trend toward Web oriented architecture (WOA), most notably supported by Google's announcement of the Google Chrome operating system (OS).
Will the popularity of devices like netbooks and smartphones accelerate the obsolescence of full-fledged fat clients, and what can Google hope to do further to move the market away from powerhouse Microsoft? Who is the David and who is the Goliath in this transition from software plus services to software for services?
Here to help us better understand Software AG's latest acquisition bid and the impact of the Google Chrome OS are our analysts this week. We are here with Jim Kobielus, senior analyst at Forrester Research; Tony Baer, senior analyst at Ovum; Brad Shimmin, principal analyst at Current Analysis; Jason Bloomberg, managing partner at ZapThink; JP Morgenthal, independent analyst and IT consultant; and Joe McKendrick, independent analyst and ZDNet and SOA blogger. The discussion is moderated be me, Dana Gardner, principal analyst at Interarbor Solutions.
Here are some excerpts:
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Take the BriefingsDirect middleware/ESB survey now.
and Networking Events
In need of vendor-neutral, architect-level SOA and EA training? ZapThink's Licensed ZapThink Architect (LZA) SOA Boot Camps provide four days of intense, hands-on architect-level SOA training and certification.
Advanced SOA architects might want to enroll in ZapThink's SOA Governance and Security training and certification courses. Or, are you just looking to network with your peers, interact with experts and pundits, and schmooze on SOA after hours? Join us at an upcoming ZapForum event. Find out more and register for these events at http://www.zapthink.com/eventreg.html.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Take the BriefingsDirect middleware/ESB survey now.
Welcome to the latest BriefingsDirect Analyst Insights Edition, Volume 44. Our topic this week on BriefingsDirect Analyst Insights Edition, and it is the week of July 13, 2009, centers on Software AG's bid to acquire IDS Scheer for about $320 million. We'll look into why this could be a big business process management (BPM) deal, not only for Software AG, but also for the service-oriented architecture (SOA) competitive landscape that is fast moving, as we saw from Oracle's recent acquisition of Sun Microsystems.
Another topic for our panel this week is the seemingly inevitable trend toward Web oriented architecture (WOA), most notably supported by Google's announcement of the Google Chrome operating system (OS).
Will the popularity of devices like netbooks and smartphones accelerate the obsolescence of full-fledged fat clients, and what can Google hope to do further to move the market away from powerhouse Microsoft? Who is the David and who is the Goliath in this transition from software plus services to software for services?
Here to help us better understand Software AG's latest acquisition bid and the impact of the Google Chrome OS are our analysts this week. We are here with Jim Kobielus, senior analyst at Forrester Research; Tony Baer, senior analyst at Ovum; Brad Shimmin, principal analyst at Current Analysis; Jason Bloomberg, managing partner at ZapThink; JP Morgenthal, independent analyst and IT consultant; and Joe McKendrick, independent analyst and ZDNet and SOA blogger. The discussion is moderated be me, Dana Gardner, principal analyst at Interarbor Solutions.
Here are some excerpts:
Morgenthal: The acquisition seems to be focused heavily on IDS Scheer's association with SAP, and that the move seems to be driven by more of a business relationship than a technical relationship. If you look at the platforms, there is some overlap between the webMethods platform and the ARIS platform.Listen to the podcast. Download or view a full transcript. Find it on iTunes/iPod and Podcast.com. Charter Sponsor: Active Endpoints. Also sponsored by TIBCO Software.
So, it would make sense that, if they were going after something, it wouldn't be just more design functionality. There has to be something deeper there for them to grow that business even larger, and certainly SAP is a good target for going after more additional business.
SAP probably doesn't believe that they need an SOA partner, but I think that the fish are starting to nip around the outer boundaries. SAP customers are to the point now, where they are looking for something more immediate, and obviously the redevelopment of SAP as a complete SOA architecture is a long-term endeavor.
So, how do you start moving there in an incremental fashion? A lot of SOA platform vendors are starting to identify that there is a place for them on the outer edges, until SAP gets to make its full transformation.
The combined effort of a Software AG with webMethods and IDS Scheer actually becomes one of the feeders on the outer edges of the SAP market. While SAP is in its cocoon, it needs to turn from caterpillar into SOA butterfly, and heaven knows whether that will actually survive that transformation.
There are a lot of SOA platforms starting to eat at the outer edges of the cocoon, feeding off of that, and hoping the transformation either fails or that there will be a place for them when the SOA butterfly emerges.
Kobielus: What's really interesting here is that, clearly Software AG is on a tear now to build up their whole SOA stack. ... People didn't realize that IDS Scheer is actually now a business intelligence (BI) vendor. They've got a self-service mashup BI product called ARIS MashZone, in addition to the complex event processing (CEP) product and an in-memory analytics product.
IDS Scheer, prior to this acquisition, has been increasingly positioning themselves in the new generation of BI solutions. That's been the one area where Software AG/webMethods has been deficient, from my point of view. In these SOA wars, they're lacking any strong BI or CEP capabilities.
Now, IDS Scheer, their BI, their CEP, and their in-memory analytics is all tied to business activity monitoring (BAM), and all tied to BPM. So, it's not clear whether or when Software AG, with IDS Scheer on board, might start turning all of that technology or adapting it to be more of a general purpose BI CEP capability. But, you know what, if they choose to do that, I think they've got some very strong technologies to build upon.
Baer: You can't separate the technology from the strategic implications of this deal. ... There are other dimensions to this deal, which is that Software AG's webMethods business gets a much deeper process-modeling path. I don't know how redundant it is with the existing modeling. I don't think there are many BPM modeling languages that are deeper than ARIS, and that's selling pretty awesomely. As a matter of fact, you can look at Oracle, which uses it as one of the paths to modeling business process, along with the technology they picked up from BEA.
For Software AG, [the acquisition gives them] immediate access to the SAP base, and that's huge. It also basically lays down a gauntlet to IBM and Oracle, especially Oracle, which has an OEM agreement [with IDS Scheer]. All of a sudden they have an OEM agreement with a major rival, as they're trying to ramp up their Fusion middleware business and their SOA governance story.
Shimmin: Look to the governance. About two years ago, most of the vendors were OEM. That certainly has turned around, such that these vendors are now very much providing in-house stacks. That's why I think this is such a big deal, and, as Tony was saying, why it's so disruptive.
It's not just that they have a fuller stack now, but there is a more complete stack for SAP customers. NetWeaver has been hanging in there. SAP definitely thinks it is middleware, but then why else would there be so many players on the outside, providing integration services for SAP applications running on not NetWeaver
It's now a class society, where you have the big players -- the IBMs, Oracle, SAPs, and now Software AGs of the world -- and then you have the rogue players in these open-source space that are coming up, that have room to play. ... When you have this really bifurcated environment, it gives you fewer acquisitions and more competition, and that's what's going to be great for the industry. I don't see this as leading to further consolidation at the top end. It's going to be more activity on the bottom end.
Bloomberg: This IDS Scheer announcement really doesn't have anything to do with SOA. That is surprising, in a way, but also consistent with some of the fundamental disconnect we see within Software AG, between the integration folks on one hand and the BPM folks on the other.
There are some people within Software AG, typically the CentraSite team, Miko Matsumura and his strategy team, who really understand the connection between SOA and BPM. But, for the most part, basically the old guard, the German staff, just doesn't see the connection.
If you read the BPM For Dummies Book that Software AG put together, for example, they don't even understand that SOA has any connection to BPM. Software AG released a press release a few weeks ago that described SOA as a technology. Whoever wrote the press release doesn't even understand that SOA is architecture. It makes you wonder where the disconnect is.
With the IDS Scheer acquisition, if you read through what Software AG is saying about this, they're not connecting it with their SOA story. This is part of their BPM story. This is a way for them to build their vertical BPM expertise. That's the missing piece.
Kobielus: Let me butt in a second, because in Forrester we've been discussing this. We don't think that Software AG understands fully who they are acquiring, because they don't really fully understand what IDS Scheer has on the SOA side. They don't understand the BI and CEP stuff.
So, I agree wholeheartedly with what Jason is saying. They're acquiring them just for the BPM, but that really in many ways really understates what IDS Scheer potentially can offer Software AG.
Bear: There has always been a huge cultural divide between the business folks, who felt that they own BPM, versus the IT folks, who own the architecture or the technology architecture, which would be SOA. What’s really interesting and what's going to stir up the pot some more -- and this is still on the horizon -- is BPMN 2.0, which is supposed to support direct execution.
Bloomberg: You're right that a lot of organizations still see SOA as technical architecture, as something distinct from the BPM, and those are the organizations that are failing with SOA. That part of the "SOA is dead" straw man is that misconception of SOA as about technology. That's what’s not working well in many organizations.
On the plus side, there are a number of enterprises that do understand this point, are connecting business process with SOA, and understand really that you need to have a process driven SOA approach to enterprise architecture.
Kobielus: What gives me hope on the Software AG-IDS Scheer merger is the fact that what I heard on the briefing is that Software AG realizes they need to shift from a technology and sales driven model towards more of a solution and consulting driven business model. First of all, that's the way that you lock in the customer in terms of a partnership or an ongoing relationship to help the customer optimize their business and chief differentiation in their business.
What I found really the most valuable thing about the briefing on the acquisition that we got from them the other day was IDS Scheer adding significant value to Software AG. Software AG pointed to the business process tools under ARIS. That's a given. They focused even more on the EA modeling capabilities that IDS Scheer has, and even more on the professional services on the vertical solution side and the BPA consulting side -- consulting, consulting, consulting, relationship building, solution marketing.
On Google Chrome OS ...
Shimmin: I just think it's reflective of the shift that's already under way. When you look at Google Chrome OS, it's Linux, which is a well-established OS, but certainly not something you would call a web-oriented OS. Chrome OS is really something akin to GNOME or KDE running on top of it. So, technologically, this is nothing spectacularly new.
I think that what Google is doing, and what is brilliant about what they're doing, is that they're saying, "We are the architectural providers of the web, people who make the pipes go, and make all of you able to get to the places you want to go in the web through our index. We're going to build an OS that's geared toward you folks. We're going OEM and through vendors that are building netbooks, that are definitely making a point of contention with Microsoft. Because Microsoft, as we know, is really not pleased with the netbook vendors, because they can't run Vista or eventually Windows 7."
Morgenthal: I have differing opinion, and of course an opportunity to tick off the entire Slashdot audience. Everyone thinks this is an attack at Microsoft. I'm looking at it as a Mac user and see a huge hole in the market. I've got to pay almost $2,000 for a really good high-powered Macintosh today. All they did was take BSD Unix and really soup it up so that your basic user can use it.
People on the Linux side are like, "Oh, Linux is great now. It's really usable." I've got news for you. It's no way nearly as usable as Windows or the Mac. As far as usability, Linux is still growing out of the proverbial slime.
But, if you take that concept of what Apple did with BSD and you say, "Hmm, I'm going to do that. I'm going to take Linux as my base and I'm going to really soup up the UI. I'm going to make it really oriented around the network, which I already did, and I have a lot of my apps in the Cloud, I don't necessarily need to build everything large scale. I still need to have the ability to do video, tie things in, and make that usable, but I'm also going to be able to sell it on a $400 netbook computer."
Now, you're right down the middle of the entire open market, because people can't stand Windows XP running on these netbooks. As was previously said, you can't yet run Windows 7 yet or Vista. We don't know what Windows 7 is going to look like, as far as usability, and the Mac is costing way too much.
There is a huge home run right through the middle. You just run right up the center and you've got yourself a massive home run. It doesn't have to be about going after the enemy. It's not about hurting the enemy. It's about going after your competitors.
... If you can deliver the equivalent of an Apple-based set of functionality and the usability of the Mac on a $400 netbook, or a bigger if you want, you hurt Apple. You don't hurt Windows.
Kobielus: People keep expecting the big "Google hegemony" to evolve or to burst out, so everybody keeps latching onto these kinds of announcements as the harbinger of the coming Google hegemony and all components of the distributed internet-work Web 2.0 world. I just don't see that happening.
They've got all these kinds of projects going, but none of them has even begun to deliver for Google anything even approximating the revenue share that they get from search-driven advertising.
So, this is interesting, but a lot of Google projects are interesting. Google Fusion Tables are interesting for analytics, but I just can't really generate a big interest in this project, until I see something concrete.
Shimmin: I am sorry to interrupt you, but Apple has netbook coming out in October too, so they're trying for that market as well.
Baer: I'll grant you that point. The important thing mostly is that it does point to a new diversity of clients. Some may need netbooks. Some may want smartphones. Some, like myself, still deal with regular brick computers. It's just a diversity.
Special offer: Download a free, supported 30-day trial of Active Endpoint's ActiveVOS at www.activevos.com/insight.
Take the BriefingsDirect middleware/ESB survey now.
SPECIAL PARTNER OFFER
SOA and EA Training, Certification,
and Networking Events
In need of vendor-neutral, architect-level SOA and EA training? ZapThink's Licensed ZapThink Architect (LZA) SOA Boot Camps provide four days of intense, hands-on architect-level SOA training and certification.
Advanced SOA architects might want to enroll in ZapThink's SOA Governance and Security training and certification courses. Or, are you just looking to network with your peers, interact with experts and pundits, and schmooze on SOA after hours? Join us at an upcoming ZapForum event. Find out more and register for these events at http://www.zapthink.com/eventreg.html.
BriefingsDirect user survey helps define latest ESB trends, middleware use patterns
Take the BriefingsDirect middleware/ESB survey now.
Forgive my harping on this, but I keep hearing about how powerful social media is for gathering insights from the IT communities and users. Yet I rarely see actual market research conducted via the social media milieu.
So now's the time to fully test the process. I'm hoping that you users and specifiers of enterprise software middleware, SOA infrastructure, integration middleware, and enterprise service buses (ESBs) will take 5 minutes and fill out my BriefingsDirect survey. We'll share the results via this blog in a few weeks.
We're seeking to uncover the latest trends in actual usage and perceptions around these technologies -- both open source and commercial.
How middleware products -- like ESBs -- are used is not supposed to change rapidly. Enterprises typically choose and deploy integration software infrastructure slowly and deliberately, and they don't often change course without good reason.
But the last few years have proven an exception. Middleware products and brands have shifted more rapidly than ever before. Vendors have consolidated, product lines have merged. Users have had to grapple with new and dynamic requirements.
Open source offerings have swiftly matured, and in many cases advanced capabilities beyond the commercial space. Interest in SOA is now shared with anticipation of cloud computing approaches and needs.
So how do enterprise IT leaders and planners view the middleware and SOA landscape after a period of adjustment -- including the roughest global recession in more than 60 years?
This brief survey, distributed by BriefingsDirect for Interarbor Solutions, is designed to gauge the latest perceptions and patterns of use and updated requirements for middleware products and capabilities. Please take a few moments and share your preferences on enterprise middleware software. Thank you.
Take the BriefingsDirect middleware/ESB survey now.
Forgive my harping on this, but I keep hearing about how powerful social media is for gathering insights from the IT communities and users. Yet I rarely see actual market research conducted via the social media milieu.
So now's the time to fully test the process. I'm hoping that you users and specifiers of enterprise software middleware, SOA infrastructure, integration middleware, and enterprise service buses (ESBs) will take 5 minutes and fill out my BriefingsDirect survey. We'll share the results via this blog in a few weeks.
We're seeking to uncover the latest trends in actual usage and perceptions around these technologies -- both open source and commercial.
How middleware products -- like ESBs -- are used is not supposed to change rapidly. Enterprises typically choose and deploy integration software infrastructure slowly and deliberately, and they don't often change course without good reason.
But the last few years have proven an exception. Middleware products and brands have shifted more rapidly than ever before. Vendors have consolidated, product lines have merged. Users have had to grapple with new and dynamic requirements.
Open source offerings have swiftly matured, and in many cases advanced capabilities beyond the commercial space. Interest in SOA is now shared with anticipation of cloud computing approaches and needs.
So how do enterprise IT leaders and planners view the middleware and SOA landscape after a period of adjustment -- including the roughest global recession in more than 60 years?
This brief survey, distributed by BriefingsDirect for Interarbor Solutions, is designed to gauge the latest perceptions and patterns of use and updated requirements for middleware products and capabilities. Please take a few moments and share your preferences on enterprise middleware software. Thank you.
Take the BriefingsDirect middleware/ESB survey now.
Monday, August 17, 2009
Open Group forms Cloud Work Group to spur enterprise cloud adoption and security via open standards
This guest blog comes courtesy of Dave Lounsbury, vice president of government programs and managing director of research and technology at The Open Group, where he leads activities related to government research, adaptive and real-time system software, and cloud computing. He can be reached here.
Take the BriefingsDirect middleware/ESB survey now.
By Dave Lounsbury
Like so many others, The Open Group has been busy for the past year figuring out our place in
the cloud. With the great work already being done by industry groups like the Cloud Computing Interoperability Forum, CloudCamp and the Cloud Security Alliance, we have given great thought and consideration to how we can best add value to this evolving area. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]
The growth in cloud computing has resulted in a diverse array of technical capabilities, and companies of all sizes are trying to understand how to take advantage of them in their business operations. We saw this as an opportunity to bring both vendors and end-users together with an eye toward providing guidance for adopting and implementing cloud computing in a way that helps ensure that organizations get the business benefits promised by these new capabilities.
Over the past year, The Open Group’s members have engaged in focused work to identify end-user requirements for cloud computing, identifying needs in security and identity, standards to prevent lock-in, skills in management of cloud outsourcing, and the need for enterprise architecture models for cloud. As a culmination of this, I am pleased to announce that we have officially formed our own Cloud Work Group.
We have taken what we’ve learned from our London and Toronto conferences to create a group
The Cloud Work Group is in a unique position to develop a common understanding between buyers and suppliers of how companies can use cloud products and services in a flexible and secure way to realize its full potential. By focusing on customer input and drawing on the diverse views of our global members, we intend to bring a somewhat understated perspective to the discussion – that of the end-user.
Our first deliverable will be to publish a Business Scenario for Enterprise Cloud Computing, based on end-user requirements discussed at The Open Group’s latest Enterprise Architecture Conference in Toronto. During a business scenario workshop, led by MITRE’s Terry Blevins, we brainstormed and discussed the cloud’s most critical business requirements, as well as “pain points”. As Sandy Kemsley summarizes in her blog post, The Enterprise Cloud Business Scenario will help companies identify and understand business needs relative to cloud computing and thereby derive the requirements that the architecture development must address.
This is an exciting time for us as we collaborate with some of the industry’s leading cloud providers and end-user organizations to ensure both sides are in sync and able to reap the rewards as a result. The direction of the group is determined by Open Group members, but participation is welcomed from all organizations that wish to understand or contribute to the development of best practices for enterprise use of cloud computing.
To get involved or for more information, please visit: https://www.opengroup.org/cloudcomputing/. We hope you will join us!
Take the BriefingsDirect middleware/ESB survey now.
This guest blog is courtesy of Dave Lounsbury, vice president of government programs and managing director of research and technology at The Open Group, where he leads activities related to government research, adaptive and real-time system software, and cloud computing. He can be reached here.
Take the BriefingsDirect middleware/ESB survey now.
By Dave Lounsbury
Like so many others, The Open Group has been busy for the past year figuring out our place in
the cloud. With the great work already being done by industry groups like the Cloud Computing Interoperability Forum, CloudCamp and the Cloud Security Alliance, we have given great thought and consideration to how we can best add value to this evolving area. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]The growth in cloud computing has resulted in a diverse array of technical capabilities, and companies of all sizes are trying to understand how to take advantage of them in their business operations. We saw this as an opportunity to bring both vendors and end-users together with an eye toward providing guidance for adopting and implementing cloud computing in a way that helps ensure that organizations get the business benefits promised by these new capabilities.
Over the past year, The Open Group’s members have engaged in focused work to identify end-user requirements for cloud computing, identifying needs in security and identity, standards to prevent lock-in, skills in management of cloud outsourcing, and the need for enterprise architecture models for cloud. As a culmination of this, I am pleased to announce that we have officially formed our own Cloud Work Group.
We have taken what we’ve learned from our London and Toronto conferences to create a group
The Cloud Work Group is in a unique position to develop a common understanding between buyers and suppliers of how companies can use cloud products and services in a flexible and secure way to realize its full potential.
that we believe truly reflects the importance of cloud computing to The Open Group members and industry at large. Our main goal is to ensure the effective and secure use of cloud computing in enterprise architectures, given The Open Group’s experience driving vendor-neutral standards and certification programs in and around enterprise architecture.The Cloud Work Group is in a unique position to develop a common understanding between buyers and suppliers of how companies can use cloud products and services in a flexible and secure way to realize its full potential. By focusing on customer input and drawing on the diverse views of our global members, we intend to bring a somewhat understated perspective to the discussion – that of the end-user.
Our first deliverable will be to publish a Business Scenario for Enterprise Cloud Computing, based on end-user requirements discussed at The Open Group’s latest Enterprise Architecture Conference in Toronto. During a business scenario workshop, led by MITRE’s Terry Blevins, we brainstormed and discussed the cloud’s most critical business requirements, as well as “pain points”. As Sandy Kemsley summarizes in her blog post, The Enterprise Cloud Business Scenario will help companies identify and understand business needs relative to cloud computing and thereby derive the requirements that the architecture development must address.
This is an exciting time for us as we collaborate with some of the industry’s leading cloud providers and end-user organizations to ensure both sides are in sync and able to reap the rewards as a result. The direction of the group is determined by Open Group members, but participation is welcomed from all organizations that wish to understand or contribute to the development of best practices for enterprise use of cloud computing.
To get involved or for more information, please visit: https://www.opengroup.org/cloudcomputing/. We hope you will join us!
Take the BriefingsDirect middleware/ESB survey now.
This guest blog is courtesy of Dave Lounsbury, vice president of government programs and managing director of research and technology at The Open Group, where he leads activities related to government research, adaptive and real-time system software, and cloud computing. He can be reached here.
Understanding the value of reference architectures in the SOA story
This guest post comes courtesy of ZapThink. Ron Schmelzer is a senior analyst at ZapThink. You can reach him here.
Take the BriefingsDirect middleware/ESB survey now.
By Ron Schmelzer
There's nothing more that architects love to do than argue about definitions. If you ever find yourself with idle
time in a room of architects, try asking for a definition of "service" or "architecture" and see what sort of creative melee you can start.
That being said, definitions are indeed very important so that we can have a common language to communicate the intent and benefit of the very things we are trying to convince business to invest in. From that perspective, a number of concepts have emerged in the past decade or so that have become top of mind for self-styled enterprise architects: architecture frameworks and reference architectures.
In previous ZapFlashes, we discussed architecture frameworks, which leaves the topic of reference architectures left untouched by ZapThink. Since we can't leave a good argument behind, we're going to use this ZapFlash to explore what reference architectures are all about and what value they have to add to the Service-Oriented Architecture (SOA) story.
What is a reference architecture?
One commonly accepted definition for reference architecture is that it provides a methodology and/or set of practices and templates that are based on the generalization of a set of successful solutions for a particular category of solutions. Reference architectures provide guidance on how to apply specific patterns and/or practices to solve particular classes of problems. In this way, it serves as a "reference" for the specific architectures that companies will implement to solve their own problems. It is never intended that a reference architecture would be implemented as-is, but rather used either as a point of comparison or as a starting point for individual companies' architectural efforts.
Others refine the definition of reference architecture as a description of how to build a class of artifacts. These artifacts can be embodied in many forms including design patterns, methodologies, standards, metadata, and documents of all sorts. Long story short, if you need guidance on how to develop a specific architecture based on best practices or authoritative sets of potential artifacts, you should look to a reference architecture that covers the scope of the architecture that you're looking to build.
One of the most popular examples of reference architectures in IT is the Java Platform Enterprise Edition (Java EE) architecture, which provides a layered reference architecture and templates addressing a range of technology and business issues that have guided many Java-based enterprise systems.
Reference architectures vs. architecture frameworks
While the above definition(s) may seem fairly cut and dried, there is a lot in common between the concepts of reference architectures and architecture frameworks. For some, this is where things get dicey and definitions get blurry. Architecture frameworks, such as the Zachman Framework, the Open Group Architecture Framework (TOGAF), and Department of Defense Architecture Framework (DoDAF) provide approaches to describe and identify necessary inputs to a particular architecture as well as means to describe that architecture. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]
If a particular architecture is a cookbook that provides guidance on how to go about solving a particular set of problems with a particular approach, an architecture framework is a book about how to write cookbooks. So, architecture frameworks give enterprise architects the tools they need to adequately describe and collect requirements, without mandating any specific architecture type. More specifically, architecture frameworks describe an example taxonomy of the kinds of architectural "views" that an architect might consider developing, and why, and provides guidelines for making the choice for developing particular views.
This differs from the above concept of a reference architecture in that a reference architecture
Furthermore, most reference architectures emphasize the "template" part of the definition of a reference architecture. Both frameworks and RAs provide best practices, and while it might be argued that RAs provide more of a methodology than a framework does, RAs are still not really characterized by their methodology component. Most can be characterized by their template component, however. From this perspective, patterns are instances of templates in this context. In fact, multiple reference architectures for the same domain are allowable and quite useful. Reference architectures can be complementary providing guidance for a single architecture, such as SOA, from multiple viewpoints.
The value of a SOA reference architecture
In many ways, SOA projects are in desperate need of well-thought out reference architectures. ZapThink sees a high degree of variability in SOA projects. Some flourish and succeed while others flounder and fail. Many times the reason for failure can be traced to bad architectural practices, premature infrastructure purchasing, and inadequate governance and management. Other times the failure is primarily organizational. However, what is common in most successes is well-documented and/or communicated architectural practices and a systematic method for learning from one's mistakes and having a low cost of failure.
Furthermore, we find that many architects spend a significant amount of their time researching, investigating, (re-)defining, contemplating, and arguing architectural decisions. In many cases, these architects are reinventing the wheel as their peers in other companies, or even the same company, have already spent that time and effort defining their own architectural practices. This extra effort is not only inefficient, but also prevents the company from learning from its own experiences and applying that knowledge for increased effectiveness.
From this perspective, SOA reference architectures can provide some help to those struggling
Indeed, in order to gain the promised SOA benefits of reuse, reduced redundancy, reduced cost of integration, and increased visibility and governance, companies need to apply their SOA efforts in a consistent manner. This means more than buying and establishing some vendor's infrastructure as a corporate standard or adhering to the latest WS-* standards stack. SOA reference architectures can serve as the basis for disparate SOA efforts throughout the organization, even if they use different tools and technologies. Good SOA reference architectures provide SOA best practices and approaches in a vendor-, technology-, and standards-independent way. Therefore, don't go hunting for one from your favorite vendor of choice. In fact, if you got your SOA reference architecture from that vendor, you might want to consider dropping it in lieu of something more vendor-neutral.
In particular, OASIS offers a SOA Reference Architecture (RA) that "models the abstract architectural elements for a SOA independent of the technologies, protocols, and products that are used to implement a SOA. Some sections of the RA will use common abstracted elements derived from several standards." Their approach uses the concept of "patterns" to identify different methods and approaches for implementing different parts of the architectural picture. While the OASIS SOA Reference Architecture is certainly not the only valid one on the block, it certainly makes a good starting point for those looking for a vendor-neutral SOA reference architecture on which to base their own architectural efforts.
The ZapThink take
Enterprise architects needs all the help they can get to make sure that they deliver reliable, agile, resilient, vendor-neutral architectures to their organization that meet the continuously changing requirements of the business. While certainly the art and practice of enterprise architecture continues to mature, companies should look to borrow as much best practices as they can and learn from others who have already gone down the EA and SOA path. If you plan to learn SOA, or any form of EA for that matter, as you go along, or even worse, from a vendor, then you risk the entire success of your SOA efforts. Rather, leverage (for free) SOA reference architectures so that you can advance at a faster pace and lower risk.
Bernard of Chartres put it best in the well-known saying: "We are like dwarfs on the shoulders of giants, so that we can see more than they, and things at a greater distance, not by virtue of any sharpness of sight on our part, or any physical distinction, but because we are carried high and raised up by their giant size." Stand on the shoulders of other enterprise architecture giants and let them increase your vision and success.
This guest post comes courtesy of ZapThink. Ron Schmelzer, a senior analyst at ZapThink, can be reached here.
Take the BriefingsDirect middleware/ESB survey now.
and Networking Events
In need of vendor-neutral, architect-level SOA and EA training? ZapThink's Licensed ZapThink Architect (LZA) SOA Boot Camps provide four days of intense, hands-on architect-level SOA training and certification.
Advanced SOA architects might want to enroll in ZapThink's SOA Governance and Security training and certification courses. Or, are you just looking to network with your peers, interact with experts and pundits, and schmooze on SOA after hours? Join us at an upcoming ZapForum event. Find out more and register for these events at http://www.zapthink.com/eventreg.html.
Take the BriefingsDirect middleware/ESB survey now.
By Ron Schmelzer
There's nothing more that architects love to do than argue about definitions. If you ever find yourself with idle
time in a room of architects, try asking for a definition of "service" or "architecture" and see what sort of creative melee you can start.That being said, definitions are indeed very important so that we can have a common language to communicate the intent and benefit of the very things we are trying to convince business to invest in. From that perspective, a number of concepts have emerged in the past decade or so that have become top of mind for self-styled enterprise architects: architecture frameworks and reference architectures.
In previous ZapFlashes, we discussed architecture frameworks, which leaves the topic of reference architectures left untouched by ZapThink. Since we can't leave a good argument behind, we're going to use this ZapFlash to explore what reference architectures are all about and what value they have to add to the Service-Oriented Architecture (SOA) story.
What is a reference architecture?
One commonly accepted definition for reference architecture is that it provides a methodology and/or set of practices and templates that are based on the generalization of a set of successful solutions for a particular category of solutions. Reference architectures provide guidance on how to apply specific patterns and/or practices to solve particular classes of problems. In this way, it serves as a "reference" for the specific architectures that companies will implement to solve their own problems. It is never intended that a reference architecture would be implemented as-is, but rather used either as a point of comparison or as a starting point for individual companies' architectural efforts.
Others refine the definition of reference architecture as a description of how to build a class of artifacts. These artifacts can be embodied in many forms including design patterns, methodologies, standards, metadata, and documents of all sorts. Long story short, if you need guidance on how to develop a specific architecture based on best practices or authoritative sets of potential artifacts, you should look to a reference architecture that covers the scope of the architecture that you're looking to build.
One of the most popular examples of reference architectures in IT is the Java Platform Enterprise Edition (Java EE) architecture, which provides a layered reference architecture and templates addressing a range of technology and business issues that have guided many Java-based enterprise systems.
Reference architectures vs. architecture frameworks
While the above definition(s) may seem fairly cut and dried, there is a lot in common between the concepts of reference architectures and architecture frameworks. For some, this is where things get dicey and definitions get blurry. Architecture frameworks, such as the Zachman Framework, the Open Group Architecture Framework (TOGAF), and Department of Defense Architecture Framework (DoDAF) provide approaches to describe and identify necessary inputs to a particular architecture as well as means to describe that architecture. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]
If a particular architecture is a cookbook that provides guidance on how to go about solving a particular set of problems with a particular approach, an architecture framework is a book about how to write cookbooks. So, architecture frameworks give enterprise architects the tools they need to adequately describe and collect requirements, without mandating any specific architecture type. More specifically, architecture frameworks describe an example taxonomy of the kinds of architectural "views" that an architect might consider developing, and why, and provides guidelines for making the choice for developing particular views.
This differs from the above concept of a reference architecture in that a reference architecture
Both frameworks and RAs provide best practices, and while it might be argued that RAs provide more of a methodology than a framework does, RAs are still not really characterized by their methodology component
goes one step further by accelerating the process for a particular architecture type, helping to identify which architectural approaches will satisfy particular requirements, and figuring out what a minimally acceptable set of architectural artifacts are needed to meet the "best practices" requirements for a particular architecture. To continue our analogy with cookbooks, if an architecture framework is a book on how to write cookbooks, then a reference architecture is a book that provides guidance and best practices on how to write cookbooks focused on weight loss, for example. This would then mean that the particular architecture you develop for your organization would be a specific cookbook that provides weight-loss recipes targeted to your organization. Indeed, if you get puzzled with the definitions, replacing the term "architecture" with "cookbook" is helpful: cookbook frameworks, reference cookbooks, and your particular cookbook.Furthermore, most reference architectures emphasize the "template" part of the definition of a reference architecture. Both frameworks and RAs provide best practices, and while it might be argued that RAs provide more of a methodology than a framework does, RAs are still not really characterized by their methodology component. Most can be characterized by their template component, however. From this perspective, patterns are instances of templates in this context. In fact, multiple reference architectures for the same domain are allowable and quite useful. Reference architectures can be complementary providing guidance for a single architecture, such as SOA, from multiple viewpoints.
The value of a SOA reference architecture
In many ways, SOA projects are in desperate need of well-thought out reference architectures. ZapThink sees a high degree of variability in SOA projects. Some flourish and succeed while others flounder and fail. Many times the reason for failure can be traced to bad architectural practices, premature infrastructure purchasing, and inadequate governance and management. Other times the failure is primarily organizational. However, what is common in most successes is well-documented and/or communicated architectural practices and a systematic method for learning from one's mistakes and having a low cost of failure.
Furthermore, we find that many architects spend a significant amount of their time researching, investigating, (re-)defining, contemplating, and arguing architectural decisions. In many cases, these architects are reinventing the wheel as their peers in other companies, or even the same company, have already spent that time and effort defining their own architectural practices. This extra effort is not only inefficient, but also prevents the company from learning from its own experiences and applying that knowledge for increased effectiveness.
From this perspective, SOA reference architectures can provide some help to those struggling
While the OASIS SOA Reference Architecture is certainly not the only valid one on the block, it certainly makes a good starting point for those looking for a vendor-neutral SOA reference architecture on which to base their own architectural efforts.
with their SOA efforts or thinking about launching a new one. SOA reference architectures allow organizations to learn from other architects' successes and failures and inherit proven best practices. Reference architectures can provide missing architectural information that can be provided in advance to project team members to enable consistent architectural best practices. In this way, the SOA reference architecture provides a base of assets that SOA efforts can draw from throughout the project lifecycle.Indeed, in order to gain the promised SOA benefits of reuse, reduced redundancy, reduced cost of integration, and increased visibility and governance, companies need to apply their SOA efforts in a consistent manner. This means more than buying and establishing some vendor's infrastructure as a corporate standard or adhering to the latest WS-* standards stack. SOA reference architectures can serve as the basis for disparate SOA efforts throughout the organization, even if they use different tools and technologies. Good SOA reference architectures provide SOA best practices and approaches in a vendor-, technology-, and standards-independent way. Therefore, don't go hunting for one from your favorite vendor of choice. In fact, if you got your SOA reference architecture from that vendor, you might want to consider dropping it in lieu of something more vendor-neutral.
In particular, OASIS offers a SOA Reference Architecture (RA) that "models the abstract architectural elements for a SOA independent of the technologies, protocols, and products that are used to implement a SOA. Some sections of the RA will use common abstracted elements derived from several standards." Their approach uses the concept of "patterns" to identify different methods and approaches for implementing different parts of the architectural picture. While the OASIS SOA Reference Architecture is certainly not the only valid one on the block, it certainly makes a good starting point for those looking for a vendor-neutral SOA reference architecture on which to base their own architectural efforts.
The ZapThink take
Enterprise architects needs all the help they can get to make sure that they deliver reliable, agile, resilient, vendor-neutral architectures to their organization that meet the continuously changing requirements of the business. While certainly the art and practice of enterprise architecture continues to mature, companies should look to borrow as much best practices as they can and learn from others who have already gone down the EA and SOA path. If you plan to learn SOA, or any form of EA for that matter, as you go along, or even worse, from a vendor, then you risk the entire success of your SOA efforts. Rather, leverage (for free) SOA reference architectures so that you can advance at a faster pace and lower risk.
Bernard of Chartres put it best in the well-known saying: "We are like dwarfs on the shoulders of giants, so that we can see more than they, and things at a greater distance, not by virtue of any sharpness of sight on our part, or any physical distinction, but because we are carried high and raised up by their giant size." Stand on the shoulders of other enterprise architecture giants and let them increase your vision and success.
This guest post comes courtesy of ZapThink. Ron Schmelzer, a senior analyst at ZapThink, can be reached here.
Take the BriefingsDirect middleware/ESB survey now.
SPECIAL PARTNER OFFER
SOA and EA Training, Certification,and Networking Events
In need of vendor-neutral, architect-level SOA and EA training? ZapThink's Licensed ZapThink Architect (LZA) SOA Boot Camps provide four days of intense, hands-on architect-level SOA training and certification.
Advanced SOA architects might want to enroll in ZapThink's SOA Governance and Security training and certification courses. Or, are you just looking to network with your peers, interact with experts and pundits, and schmooze on SOA after hours? Join us at an upcoming ZapForum event. Find out more and register for these events at http://www.zapthink.com/eventreg.html.
Friday, August 14, 2009
HP partners with iTKO on LISA services testing suite for SOA, BPM
Take the BriefingsDirect middleware/ESB survey now.
When HP inks a deal to resell your testing software, you know you must be doing something right.
HP is reselling iTKO’s LISA Virtualize product, a suite of test, validation and virtualization solutions optimized for distributed, multi-tier applications that leverage SOA, BPM, cloud computing, integration suites and ESBs. HP’s aim is to help customers reduce testing costs and speed the time to market for modern applications. [Disclosure: HP and iTKO are sponsors of BriefingsDirect podcasts.]
How does LISA help HP’s Quality and Performance Management solutions suite? By eliminating common system infrastructure dependencies during application testing. The idea is to trim both the cost and risk of modern Quality Assurance – a major issue for today’s enterprise.
Here’s how it works: LISA Virtualize does away with system dependency constraints by simulating the dynamic behavior and performance conditions of downstream system dependencies. In other words, you can see how systems react and respond as if they were running live – but they aren’t running live. That saves time and money.
Jonathan Rende, vice president and general manager of the Business Technology Optimization Applications, Software and Solutions group at HP, said: "Customers can reduce costs and speed up their ability to respond to business needs by modernizing their applications.”
By bringing together HP Quality Center and HP Performance Center solutions with iTKO's LISA Virtualize software, Rende said customers can remove delay-causing system dependencies during testing processes. The result: saving time and lowering the cost of delivering complex applications.
To be sure, putting quality top of mind earlier in the development process is a key to reducing defects and speeding time to market. And Shridhar Mittal, iTKO's CEO, claims the company’s virtualization capabilities lower test lab costs by up to 65 percent and shortening software release cycles by up to 38 percent.
If those claims hold true, it’s easy to see why HP is partnering with this young company. The running theme with this announcement is saving time and money – both critical selling points in a down economy.
Take the BriefingsDirect middleware/ESB survey now.
BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached here and here.
When HP inks a deal to resell your testing software, you know you must be doing something right.
HP is reselling iTKO’s LISA Virtualize product, a suite of test, validation and virtualization solutions optimized for distributed, multi-tier applications that leverage SOA, BPM, cloud computing, integration suites and ESBs. HP’s aim is to help customers reduce testing costs and speed the time to market for modern applications. [Disclosure: HP and iTKO are sponsors of BriefingsDirect podcasts.]
How does LISA help HP’s Quality and Performance Management solutions suite? By eliminating common system infrastructure dependencies during application testing. The idea is to trim both the cost and risk of modern Quality Assurance – a major issue for today’s enterprise.
Here’s how it works: LISA Virtualize does away with system dependency constraints by simulating the dynamic behavior and performance conditions of downstream system dependencies. In other words, you can see how systems react and respond as if they were running live – but they aren’t running live. That saves time and money.
Jonathan Rende, vice president and general manager of the Business Technology Optimization Applications, Software and Solutions group at HP, said: "Customers can reduce costs and speed up their ability to respond to business needs by modernizing their applications.”
By bringing together HP Quality Center and HP Performance Center solutions with iTKO's LISA Virtualize software, Rende said customers can remove delay-causing system dependencies during testing processes. The result: saving time and lowering the cost of delivering complex applications.
To be sure, putting quality top of mind earlier in the development process is a key to reducing defects and speeding time to market. And Shridhar Mittal, iTKO's CEO, claims the company’s virtualization capabilities lower test lab costs by up to 65 percent and shortening software release cycles by up to 38 percent.
If those claims hold true, it’s easy to see why HP is partnering with this young company. The running theme with this announcement is saving time and money – both critical selling points in a down economy.
Take the BriefingsDirect middleware/ESB survey now.
BriefingsDirect contributor Jennifer LeClaire provided editorial assistance and research on this post. She can be reached here and here.
Thursday, August 13, 2009
Got middleware? Got ESBs? Take this survey, please.
Take the brief online survey.
I keep hearing about how powerful social media is for gathering insights from the IT communities and users. Yet I rarely see actual market research conducted via the social media milieu.
So now's the time to fully test the process. I'm hoping that you users and specifiers of enterprise software middleware, SOA infrastructure, integration middleware, and enterprise service buses (ESBs) will take 5 minutes and fill out my BriefingsDirect survey. We'll share the results via this blog in a few weeks.
We're seeking to uncover the latest trends in actual usage and perceptions around these technologies -- both open source and commercial.
How middleware products -- like ESBs -- are used is not supposed to change rapidly. Enterprises typically choose and deploy integration software infrastructure slowly and deliberately, and they don't often change course without good reason.
But the last few years have proven an exception. Middleware products and brands have shifted more rapidly than ever before. Vendors have consolidated, product lines have merged. Users have had to grapple with new and dynamic requirements.
Open source offerings have swiftly matured, and in many cases advanced capabilities beyond the commercial space. Interest in SOA is now shared with anticipation of cloud computing approaches and needs.
So how do enterprise IT leaders and planners view the middleware and SOA landscape after a period of adjustment -- including the roughest global recession in more than 60 years?
This brief survey, distributed by BriefingsDirect for Interarbor Solutions, is designed to gauge the latest perceptions and patterns of use and updated requirements for middleware products and capabilities. Please take a few moments and share your preferences on enterprise middleware software. Thank you.
Take the brief online survey.
I keep hearing about how powerful social media is for gathering insights from the IT communities and users. Yet I rarely see actual market research conducted via the social media milieu.
So now's the time to fully test the process. I'm hoping that you users and specifiers of enterprise software middleware, SOA infrastructure, integration middleware, and enterprise service buses (ESBs) will take 5 minutes and fill out my BriefingsDirect survey. We'll share the results via this blog in a few weeks.
We're seeking to uncover the latest trends in actual usage and perceptions around these technologies -- both open source and commercial.
How middleware products -- like ESBs -- are used is not supposed to change rapidly. Enterprises typically choose and deploy integration software infrastructure slowly and deliberately, and they don't often change course without good reason.
But the last few years have proven an exception. Middleware products and brands have shifted more rapidly than ever before. Vendors have consolidated, product lines have merged. Users have had to grapple with new and dynamic requirements.
Open source offerings have swiftly matured, and in many cases advanced capabilities beyond the commercial space. Interest in SOA is now shared with anticipation of cloud computing approaches and needs.
So how do enterprise IT leaders and planners view the middleware and SOA landscape after a period of adjustment -- including the roughest global recession in more than 60 years?
This brief survey, distributed by BriefingsDirect for Interarbor Solutions, is designed to gauge the latest perceptions and patterns of use and updated requirements for middleware products and capabilities. Please take a few moments and share your preferences on enterprise middleware software. Thank you.
Take the brief online survey.
Wednesday, August 12, 2009
Cloud Security Panel: Is cloud computing more or less secure than on-premises IT?
Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download or view the transcript. Sponsor: The Open Group.
Welcome to a special sponsored podcast discussion coming from The Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto. This podcast, part of a series from the July 2009 event, centers on cloud computing security.
Much of the cloud security debate revolves around perceptions. ... For some cloud security is seeing the risk glass as half-full or half empty. Yet security in general takes on a different emphasis as services are mixed and matched from a variety of internal and external sources.
So will applying conventional security approaches and best practices be enough for low-risk, high-reward, cloud computing adoption? Most importantly, how do companies know when they are prepared to begin adopting cloud practices without undo security risks?
Here to help better understand the perils and promises of adopting cloud approaches securely, we welcome our panel: Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Chris Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; Dr. Richard Reiner, CEO of Enomaly; and Tim Grance, program manager for cyber and network security at the National Institute of Standards and Technology (NIST).
The discussion is moderated by me, BriefingsDirect's Dana Gardner.
Here are some excerpts:
Welcome to a special sponsored podcast discussion coming from The Open Group’s 23rd Enterprise Architecture Practitioners Conference in Toronto. This podcast, part of a series from the July 2009 event, centers on cloud computing security.
Much of the cloud security debate revolves around perceptions. ... For some cloud security is seeing the risk glass as half-full or half empty. Yet security in general takes on a different emphasis as services are mixed and matched from a variety of internal and external sources.
So will applying conventional security approaches and best practices be enough for low-risk, high-reward, cloud computing adoption? Most importantly, how do companies know when they are prepared to begin adopting cloud practices without undo security risks?
Here to help better understand the perils and promises of adopting cloud approaches securely, we welcome our panel: Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems and founding member of the Cloud Security Alliance (CSA); Doug Howard, chief strategy officer of Perimeter eSecurity and president of USA.NET; Chris Hoff, technical adviser at CSA and director of Cloud and Virtualization Solutions at Cisco Systems; Dr. Richard Reiner, CEO of Enomaly; and Tim Grance, program manager for cyber and network security at the National Institute of Standards and Technology (NIST).
The discussion is moderated by me, BriefingsDirect's Dana Gardner.
Here are some excerpts:
Reiner: There are security concerns to cloud computing. Relative to the security concerns in the ideal enterprise mode of operation, there is some good systematic risk analysis to model the threats that might impinge upon this particular application and the data it processes, and then to assess the suitability of different environments for potential deployment of that stuff.Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download or view the transcript. Sponsor: The Open Group.
There are a lot more question marks around today's generation of public-cloud services, generally speaking, than there are around the internal computing platforms that enterprises can use. So it's easier to answer those questions. It's not to say the answers are necessarily better or different, but the questions are easier to answer with respect to the internal systems, just because there are more decades of operating experience, there is more established audit practice, and there is a pretty good sense of what's going to be acceptable in one regulatory framework or another.
Howard: The first thing that you need to know is, "Am I going to be able to deliver a service the same way I deliver it today at minimum? Is the user experience going to be, at minimum, the same that I am delivering today?"
Because if I can't deliver, and it's a degradation of where my starting point is, then that will be a negative experience for the customers. Then, the next question is, obviously, is it secured as a business continuity? Are all those things and where that actual application resides completely transparent to the end user?
Brunette: Is cloud computing more or less secure than client-server? I don't think so. I don't think it is either more or less secured. Ultimately, it comes down to the applications you want to run and the severity or criticality of these applications, whether you want to expose them in a shared virtualized infrastructure.
... When you start looking at the cloud usage patterns and the different models, you're going to see that governance does not end at your organization's border. You're going to need to understand the policies, the processes, and the governance model of the cloud providers.
It's going to be important that we have a degree of transparency and compliance out in the cloud in a way that can be easily consumed and integrated back into an organization.
Hoff: One of the interesting notions of how cloud computing alters the business case and use models really comes down to a lot of pressure combined with the economics today. Somebody, a CIO or a CEO, goes home and is able to fire up their Web browser, connect to a service we all know and love, get their email, enjoy a robust Internet experience that is pretty much seamless, and just works.
Then, they show up on Monday morning and they get the traditional, "That particular component is down. That doesn't work. This is intrusive. I've got 47,000 security controls that I don't understand. You keep asking for more money."
Grance: Cloud has a vast potential to cause a disintermediation, just like in power and other kinds of industries. I think it may run eventually through some of these consulting companies, because you won't be able to get as rich off of consulting for that.
In the meantime, I think you're going to have ... people simply just roll their own [security]. Here's my magic set of controls. It may not be all of them. It may just be a few of them. I think people will shop around for those answers, but I think the marketplace will punish them.
Howard: ... If you look at a lot of the cloud providers, we tend, in many cases, to fight some standards, because, in reality, we want to have competitive differentiators in the marketplace. Sometimes, standards and interoperability are key ones, sometimes standards create a lack of our ability to differentiate ourselves in the marketplace.
However, on the security side, I that's one of the key areas that you definitely can get the cloud providers behind, because, if we have 10,000 clients, the last thing we want is to have enough people sitting around taking the individual request of all the audits that are coming in from those customers.
... So, to put standards behind those types of efforts is an absolute requirement in the industry to make it scalable, not just beyond the infrastructure, performance, availability, and all those things, but actually from a cost perspective of people supporting and delivering these services in the marketplace.
Brunette: ... One of the other things I'd point out is that, it's not just about the cloud providers and the cloud consumers, but there are also other opportunities for other vendors to get into the fray here.
One of the things that I've been a strong proponent of is, for example, OS vendors producing better, more secured, hardened versions of their operating systems that can be deployed and that are measurable against some standard, whether a benchmark from the Center for Internet Security, or FDCC in the commercial or in the federal space.
You may also have the opportunity of third parties to develop security-hardened stacks. So, you'd be able to have a LAMP stack, a Drupal stack, an Oracle stack, or whatever you might want to deploy, which has been really vetted by the vendor for supportability, security, performance, and all of these things. Then, everyone benefits, because you don't all have to go out there and develop your own.
Howard: ... At the end of the day, if you develop and you deliver a service ... and the user experience is positive, they're going to stay with the service.
On the flip side, if somebody tries to go the cheap way and ultimately delivers a service that has not got that high availability, has got problems, is not secure, and they have breaches, and they have outages, eventually that company is going to go out of business. Therefore, it's your task right now to figure out who are the real players, and does it matter if it's an Oracle database, SQL database, or MySQL database underneath, as long as it's meeting the performance requirements that you have.
Unfortunately, right now, because everything is relatively new, you will have to ask all the questions and be comfortable that those answers are going to deliver the quality of service that you want. Over time, on the flip side, it will play out and the real players will be the real players at the end of the day.
Hoff: ... It [also] depends on what you pay for it, and I think that's a very interesting demarcation point. There is a service provider today who doesn’t charge me anything for getting things like mail and uploading my documents, and they have a favorite tag line, “Hey, it’s always in beta.” So the changes that you might get could be that the service is no longer available. Even with enterprise versions of them, what you expect could also change.
... In the construct of SaaS, can that provider do a better job than you can, Mr. Enterprise, in running that particular application?
This comes down to an issue of scale. More specifically, what I mean by that is, if you take a typical large enterprise with thousands of applications, which they have to defend, safeguard, and govern, and you compare them to a provider that manages what, in essence, equates to one application, comparing apples to elephants is a pretty unreasonable thing, but it’s done daily.
What’s funny about that is that, if you take a one-to-one comparison with that enterprise that is just running that one application with the supporting infrastructure, my argument would be that you may be able to get just as good as, perhaps even better, performance than the SaaS provider. It’s when you get to the point of where you define scale, it's on the consumer side or number of apps you provide where that question gets interesting.
... What happens then when I end up having 50 or 60 cloud providers, each running a specific instance of these applications. Now, I've squeezed the balloon. Instead of managing my infrastructure, I'm managing a bunch of other guys who I hope are doing a good job managing theirs. We are transferring responsibility, but not accountability, and they are two very different things.
Brunette: ... In almost every case, the cloud providers can hide all of that complexity, but it gives them a lot more flexibility in terms of which technology is right for their underlying application. But, I do believe that over time they will have a very strong value proposition. It will be more on the services that they expose and provide than the underlying technology.
Hoff: ... The reality is, portability and interoperability are going to be really nailed to firstly define workload, express the security requirements attached to that workload, and then be able to have providers attest in the long-term in a marketplace.
I think we called it "the Intercloud," a way where you go through service brokers or do direct interchange with this type of standards and protocols to say, “Look I need this stuff. Can you supply these resources that meet these requirements? “No? Well, then I go somewhere else.”
Some of that is autonomic, some of it’s automated, and some of it will be manual. But, that's all predicated, in my opinion, upon building standards that lets us exchange that information between parties.
Reiner: I don't think anyone would disagree that learning how to apply audit standards to the cloud environment is something that takes time and will happen over time. We probably are not in a situation where we need yet another audit standard. What we need is a community of audit practices to evolve and to mature to the point where there is a good consensus of opinion about what constitutes an appropriate control in a cloud environment.
Brunette: As Chris said, it comes down to open standards. It's important that you are able to get your data out of a cloud provider. It's just as important that you need to have a standard representation of that data, something that can be read by your own applications, if you want to bring it back in house, and something that you can use with another provider, if you decide go that route.
Grance: I'm going to out on a limb and say that NIST is in favor of open, voluntary consensus, but data representation and APIs are early places where people can start. I do want to say important things about open standards. I want to be cautious about how much we specify too early, because there is a real ability to over specify early and do things really badly.
So it's finding that magic spot, but I think it begins with data representation and APIs. Some of these areas will start with best practices and then evolve into these things, but again the marketplace will ultimately speak to this. We convey our requirements in clear and pristine fashion, but put the procurement forces behind that, and you will begin to get the standards that you need.
Subscribe to:
Posts (Atom)
