Consistent Control of SOA

Consistent Control of SOA from the Enterprise to the Cloud
Successfully Managing Transition from Development to Test and into Global Production
K. Scott Morrison
Chief Technology Officer & Chief Architect
Layer 7 Technologies
White Paper
Contents
Introduction ................................................................
................................................................................................
.................................................. 3
Where Applications Dependencies Reside ................................................................................................
................................... 3
Traditional On-Premise Solutions ................................
................................................................................................
................................................. 4
The Challenge of the Cloud ................................
................................................................................................
........................................................... 4
Layer 7 Enterprise Service Manager
Manager ................................................................................................
.......................................... 6
Conclusions ................................................................
................................................................................................
................................................... 7
About Layer 7 Technologies ................................
................................................................................................
.......................................................... 8
Contact Layer 7 Technologies ................................
................................................................................................
....................................................... 8
Legal Information ................................
................................................................................................................................
.......................................... 8
Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 2
Introduction
Managing applications as they transition between environments, such as during the migration from
development, to test, and finally into production, has always been a challenge for IT. In a well-designed
well
application, the difficulties rarely reside with the code; more often, problems arise because of the
application’s dependency on other systems. Directories, firewalls, Identity and Access Management
(IAM), audit sinks, additional service providers
providers—each
each of these actors may play an important role in the
operation
ion of a modern distributed system, and all of these can be challenging to coordinate when an
application is promoted through its natural lifecycle.
This dependency problem is exacerbated when moving applications between the enterprise and the
cloud. The need to support elasticity, the potential benefits from brokering between different providers,
and the fundamental differences in how identity is validated and processed all conspire in the cloud to
make simple, scripted migration solutions impractical. Th
This
is brief paper explains the dependency
problem in some depth and offers a solution for distributed enterprises that want to decrease the risk of
application migration.
Where Applications Dependencies Reside

Modern applications almost never operate alone. TThey
hey are assemblies of new code and existing services,
all shaped by the attributes of their environment. Hardware architecture, libraries and operating
systems all contribute dependencies to an application and therefore add complexity to any migration.
Virtualization
rtualization of the application run time environment, such as that promoted by Java and .NET, has
absorbed the impact of some of these factors. However, few developers will argue persuasively that this
has eliminated the problem.
In contrast, virtualization
on at the operating system level, such as promoted by VMWare and Xen, has
been extremely successful in containing these dependencies inside a transportable bundle and thus
largely eliminating their negative effects. A programmer can develop an application on a Windows
desktop, build it on a Linux environment, and package the result into a self
self-contained
contained virtual image for
deployment to a Solaris production host. This is undeniably a coarsely grained approach to packaging,
and it comes at a cost of additional size and execution overhead. However, it has undeniably been
successful at eliminating that particular class of application dependency.
Unfortunately, virtualization does little to solve the problem of dependencies on external services. Most
enterprise applications
pplications rely on an assortment of such services to operate. Some of these services are
core enterprise infrastructure, such as directories, IAM systems, or Message-Oriented
Oriented Middleware
(MOM) providers. Some of the services are themselves applications, pu publishing
blishing core functionality as
Web services. Services such as log and audit sinks are easy to overlook as dependencies that bind an
application to a particular deployment environment.
All of these dependencies cause problems as an application moves betwee

betweenn environments, such during
the common migration from development, to test, and on to production. This has been a challenge to
developers and operators for many years.

Traditional On-Premise Solutions

The usual approach to manage these dependencies is to parameterize connection descriptions and
consolidate all of these as properties in a file or central registry. Scripts then drive migration.
Unfortunately, these scripts are usually hand coded for each application, a solution that is time
consuming, brittle,
e, and difficult to maintain over time.
As organizations adopted Service-Oriented

Oriented Architecture (SOA) methodologies, they’ve come to realize
that many of these dependencies can be isolated from an application using externalized Policy
Enforcement Points (PEPs).
EPs). PEPs take on the role of security gateway, and by doing so assume the
responsibility for external service dependencies. For example, a PEP might deal with all authentication
and authorization, thereby isolating an application from any dependency on d directory
irectory or IAM
infrastructure. Similarly, the PEP could manage the encryption and decryption of all communications in
or out of a host. This buffers the application from direct dependency on server
server-side
side certificates and trust
configurations, which are difficult
ficult to maintain when programs migrate between staging environments.
One might argue that this is simply moving dependency to another entity, the PEP. This is true, however
PEPs are designed to effectively parameterize these dependencies as elements of the policy associated
with an application. Policy is simply the formalized description of how to secure, control, and manage an
application; it aggregates all of a program’s
external dependencies into a centralized
description that is easy to move, promotes
promot
reuse, and allows administration of policy to
shift away from developers and to security
administrators and operators.
This strategy of delegating security and

management to an external PEP has proven its
value in on-premise
premise SOA. This environment
lends itself well to strong, centralized control,
maintained by a staff organized into dedicated
silos of responsibility. The core infrastructure
that constitutes the basis of most application external dependencies
dependencies—the the IAM systems, operations
fabric, the MOM infrastructure—is is centralized, and thus simple to integrate. In this environment, PEPs
are extremely effective at isolating security and management dependencies from applications and
promoting a simple migration strategy for software within the enterprise ne network.
The Challenge of the Cloud

New challenges arise when SOA applications deploy in the cloud. The cloud is a necessarily different
environment than the on-premise
premise network, with radically different boundaries of control. Infrastructure
that was readily available on-premise
premise may be inaccessible to cloud
cloud-resident
resident applications. The cloud does
have important advantages such as elasticity that organizations should leverage; however, in practice

this attribute can be difficult to manage when traditional applica

applications
tions depend on external services to
function.
These differences in the cloud will become apparent as software crosses the chasm between
development and test. This boundary is significant because of emerging differences in utilization of
cloud technology between software developers and testers.
Application development can benefit greatly from cloud

cloud-based
based infrastructure such as code repositories;
however, actual code development remains an individual or team team-based
based exercise that still largely takes
place on relatively inexpensive, individual workstations. In general, cloud
cloud-resident
resident development
environments have not proven popular.
Quality Assurance (QA), in contrast, benefits greatly from centralized cloud deployment, which the
relative success of Skytap and ITKO attest to this. Cloud solves an immediate problem for QA by
eliminating expensive test labs, so acceptance of cloud technology among this culture is increasing
dramatically. But as applications move to a cloud
cloud-based
based test environment, the changes to policy
p
contained in a PEP can be dramatic. Public clouds are very exposed environments, so all applications,
even in initial test deployment, must offer strong associated security policies governing secure
communications and access. Cloud environments will not have access to on-premisepremise directories and IAM
systems, so PEP access policy must transform to now accept security tokens such as X.509 certificates or
SAML tokens that declare identity verifiable against generalized trust relationships. The validation
procedure for this is complex to develop and harder to administer. Virtualized PEPs, deployed into the
cloud and protecting applications, show their value immediately by streamlining this enforcement.
Nevertheless, the policy for administering access contr
control
ol and security in a cloud test lab will naturally
capture localized attributes. These demand further consideration as the application moves into
production.
This jump from test lab to production environment, although potentially remaining in the cloud, is i no
less complex. New policy dependencies, such as Service
Service-Level
Level Agreements (SLAs), IP addresses of
services, and the characteristics of audit sinks, are inevitably different between these environments.
Obviously, consolidation in PEP policy helps; howeve
however, r, these elements still require alteration in a
consistent, reproducible, and deterministic manner.
Elastic computing—the the ability to create or de

de-commission
commission new application instances on-demand—is
on one
of the defining characteristics of cloud and often prom
promoted
oted as one of this technology’s most important
benefits. But elasticity is difficult to manage, and it is greatly complicated by an application’s
dependencies on other services. When a new application instance comes online, the operator must re- re
partition the traffic load, route transactions to the new instance’s IP address, and change SLAs in
proportion. The operator must administer the trust relationships between this instance and service
consumers, as well as the relationship between the application inst instance
ance and its external dependencies.
Clearly, PEPs can play an important role here, as it would be unsustainable to try to maintain such
complexity using traditional scripting methods. Nevertheless, the transformation of PEP policy to
leverage elasticity is clearly a significant challenge.

Economic realities in the cloud marketplace further complicate application deployment. Cloud
technology is changing rapidly, and providers are using product offering, cost, and brand to position
themselves in what is becoming ing a very competitive market. Because of the rapid rate of change, few
organizations are willing to engage in a long
long-term
term commitment to a single provider. In some instances,
this has led to the use of cloud brokers to rapidly switch between competing prov providers,
iders, not just for
minimize cost or ensure SLA, but also as a means of disaster recovery in the event of failure of a data
center. As a result, there is a need to map application dependencies in policy not just between on- on
premise networks and the cloud, but ut also between distinct cloud providers. This affects elements such
as trust relationships, articulated through complex technology such as Public Key Infrastructure (PKI), or
Kerberos.
Layer 7 Enterprise Service Manager

Manager
Layer 7 developed Enterprise Service Manager (ESM) to meet the challenge of application
dependencies, both in on-premise
premise SOA and out in the cloud. Enterprise Service Manager administers
clusters of SecureSpan Gateways,, the industry’s leading PEP for SOA and Web services. SecureSpan
Gateways come in a range of form factors, from accelerated, hardware
hardware-based
based gateways for on-premise,
on
DMZ deployment, to virtualized gateways suitable for deployment in cloud environments such as
Amazon.
Enterprise Service Manager provides operations manag

management
ement with the necessary global view of
deployed gateways and the applications these protect. Regardless of where gateways reside, in a single
data center, or across the globe, ESM
provides the consolidated view that
administers them all. It automatically
monitors the operational characteristics
of each gateway under its control,
alerting operation’s personnel if an
instance fails, or if a system exceeds
monitored thresholds. As conditions
change, ESM can start or stop any
gateway instance under its
administration,
stration, giving operators the
control they need to leverage elastic,
on-demand
demand computing.
ESM is the essential tool to effectively manage SOA application migration both on on-premise
premise and in the
cloud. SecureSpan Gateways aggregate dependencies into policy, providing security and management
for each SOA application in the network. ESM automates migration of policy between environments,
from test through to production, from on on-premise
premise out to the cloud. It features automated, deterministic
mapping of all variable
le parameters in policy. Attributes such as IP addresses, URLs, shared cluster
variables, key names, global schemas, certificates, WSDL documents, queue names, and trust
relationships are among the long list of parameters with supported mappings. ESM facilitates
facil mapping
of identity-declarations
declarations between gateway clusters, including both individually named identities (for
example, a username) and groups (such as a distinct LDAP grouping). It provides wizard-driven
wizard graphical
interfaces to facilitate first-time mappings, including content browsers for identity providers linked to
both source and destination gateways.
Conclusions
Cloud computing has much to offer the enterprise. Just as we have benefited from commoditization of
manufacturing,, so too will we benefit from commoditization of data center operations. The adoption of
cloud by the enterprise is inevitable because it offers an alternative to a basic cost center that will prove
to be irresistible to the executive suite. Cloud, however, will bring about new challenges. Some of these
challenges will demand changes in the way we design and develop applications. Other challenges should
build on the foundation of existing successes in on-premise IT.
Application migration is one of the later cases.. Over the past decade, SOA methodology has clearly
demonstrated the value of moving transaction security and monitoring out of the application and into
external PEPs, thus consolidating service dependencies into reusable, centrally administered policy.
poli
Customers in the
he military, the intelligence community, and the financial services sector use Layer 7
SecureSpan Gateways today to secure their applications and provide much-needed visibility into their
operational state.
Layer 7’s Enterprise Service Manager

anager build
builds on this foundation to allow policies to migrate between
environments in lock step with applications. It provides the control operational staff need to promote
applications through the on-premise
premise network and out into the cloud to meet business demand.

About Layer 7 Technologies

With offices in San Mateo, California; New York, New York; and Vancouver, British Columbia, Canada; Layer 7
Technologies helps enterprises accomplish secure and cost
cost-effective
effective business integration using XML and Web
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology that addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowere
loweredd integration costs, increased security reliability, and the ability to
future-proof
proof their Web services investments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.
Contact Layer 7 Technologies

Layer 7 Technologies welcomes your
our questions, comments, and general feedback.
Email:
info@layer7tech.com
Web Site:
www.layer7tech.com
Phone:
(+1) 604-681-9377
1-800-681-9377
9377 (toll free within North America)
Fax:
604-681-9387
Address:
1200 G Street, NW, Suite 800
Washington, DC 20005
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada
Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owne
owners.


Consistent Control of SOA

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Consistent Control of SOA

Загружено:

Авторское право:

Доступные форматы

Consistent Control of SOA from the Enterprise to the Cloud

Copyright © 2010 Layer 7 Technologies

Where Applications Dependencies Reside

All of these dependencies cause problems as an application moves betwee

Copyright © 2010 Layer 7 Technologies

Traditional On-Premise Solutions

As organizations adopted Service-Oriented

This strategy of delegating security and

The Challenge of the Cloud

Copyright © 2010 Layer 7 Technologies

this attribute can be difficult to manage when traditional applica

Application development can benefit greatly from cloud

Elastic computing—the the ability to create or de

Copyright © 2010 Layer 7 Technologies

Layer 7 Enterprise Service Manager

Enterprise Service Manager provides operations manag

Layer 7’s Enterprise Service Manager

Copyright © 2010 Layer 7 Technologies

About Layer 7 Technologies

Contact Layer 7 Technologies

Copyright © 2010 Layer 7 Technologies

Вам также может понравиться