Академический Документы
Профессиональный Документы
Культура Документы
Successfully Managing Transition from Development to Test and into Global Production
K. Scott Morrison
Chief Technology Officer & Chief Architect
Layer 7 Technologies
White Paper
Consistent Control of SOA from the Enterprise to the Cloud
Contents
Introduction ................................................................
................................................................................................
.................................................. 3
Where Applications Dependencies Reside ................................................................................................
................................... 3
Traditional On-Premise Solutions ................................
................................................................................................
................................................. 4
The Challenge of the Cloud ................................
................................................................................................
........................................................... 4
Layer 7 Enterprise Service Manager
Manager ................................................................................................
.......................................... 6
Conclusions ................................................................
................................................................................................
................................................... 7
About Layer 7 Technologies ................................
................................................................................................
.......................................................... 8
Contact Layer 7 Technologies ................................
................................................................................................
....................................................... 8
Legal Information ................................
................................................................................................................................
.......................................... 8
Introduction
Managing applications as they transition between environments, such as during the migration from
development, to test, and finally into production, has always been a challenge for IT. In a well-designed
well
application, the difficulties rarely reside with the code; more often, problems arise because of the
application’s dependency on other systems. Directories, firewalls, Identity and Access Management
(IAM), audit sinks, additional service providers
providers—each
each of these actors may play an important role in the
operation
ion of a modern distributed system, and all of these can be challenging to coordinate when an
application is promoted through its natural lifecycle.
This dependency problem is exacerbated when moving applications between the enterprise and the
cloud. The need to support elasticity, the potential benefits from brokering between different providers,
and the fundamental differences in how identity is validated and processed all conspire in the cloud to
make simple, scripted migration solutions impractical. Th
This
is brief paper explains the dependency
problem in some depth and offers a solution for distributed enterprises that want to decrease the risk of
application migration.
In contrast, virtualization
on at the operating system level, such as promoted by VMWare and Xen, has
been extremely successful in containing these dependencies inside a transportable bundle and thus
largely eliminating their negative effects. A programmer can develop an application on a Windows
desktop, build it on a Linux environment, and package the result into a self
self-contained
contained virtual image for
deployment to a Solaris production host. This is undeniably a coarsely grained approach to packaging,
and it comes at a cost of additional size and execution overhead. However, it has undeniably been
successful at eliminating that particular class of application dependency.
Unfortunately, virtualization does little to solve the problem of dependencies on external services. Most
enterprise applications
pplications rely on an assortment of such services to operate. Some of these services are
core enterprise infrastructure, such as directories, IAM systems, or Message-Oriented
Oriented Middleware
(MOM) providers. Some of the services are themselves applications, pu publishing
blishing core functionality as
Web services. Services such as log and audit sinks are easy to overlook as dependencies that bind an
application to a particular deployment environment.
One might argue that this is simply moving dependency to another entity, the PEP. This is true, however
PEPs are designed to effectively parameterize these dependencies as elements of the policy associated
with an application. Policy is simply the formalized description of how to secure, control, and manage an
application; it aggregates all of a program’s
external dependencies into a centralized
description that is easy to move, promotes
promot
reuse, and allows administration of policy to
shift away from developers and to security
administrators and operators.
These differences in the cloud will become apparent as software crosses the chasm between
development and test. This boundary is significant because of emerging differences in utilization of
cloud technology between software developers and testers.
Quality Assurance (QA), in contrast, benefits greatly from centralized cloud deployment, which the
relative success of Skytap and ITKO attest to this. Cloud solves an immediate problem for QA by
eliminating expensive test labs, so acceptance of cloud technology among this culture is increasing
dramatically. But as applications move to a cloud
cloud-based
based test environment, the changes to policy
p
contained in a PEP can be dramatic. Public clouds are very exposed environments, so all applications,
even in initial test deployment, must offer strong associated security policies governing secure
communications and access. Cloud environments will not have access to on-premisepremise directories and IAM
systems, so PEP access policy must transform to now accept security tokens such as X.509 certificates or
SAML tokens that declare identity verifiable against generalized trust relationships. The validation
procedure for this is complex to develop and harder to administer. Virtualized PEPs, deployed into the
cloud and protecting applications, show their value immediately by streamlining this enforcement.
Nevertheless, the policy for administering access contr
control
ol and security in a cloud test lab will naturally
capture localized attributes. These demand further consideration as the application moves into
production.
This jump from test lab to production environment, although potentially remaining in the cloud, is i no
less complex. New policy dependencies, such as Service
Service-Level
Level Agreements (SLAs), IP addresses of
services, and the characteristics of audit sinks, are inevitably different between these environments.
Obviously, consolidation in PEP policy helps; howeve
however, r, these elements still require alteration in a
consistent, reproducible, and deterministic manner.
Economic realities in the cloud marketplace further complicate application deployment. Cloud
technology is changing rapidly, and providers are using product offering, cost, and brand to position
themselves in what is becoming ing a very competitive market. Because of the rapid rate of change, few
organizations are willing to engage in a long
long-term
term commitment to a single provider. In some instances,
this has led to the use of cloud brokers to rapidly switch between competing prov providers,
iders, not just for
minimize cost or ensure SLA, but also as a means of disaster recovery in the event of failure of a data
center. As a result, there is a need to map application dependencies in policy not just between on- on
premise networks and the cloud, but ut also between distinct cloud providers. This affects elements such
as trust relationships, articulated through complex technology such as Public Key Infrastructure (PKI), or
Kerberos.
ESM is the essential tool to effectively manage SOA application migration both on on-premise
premise and in the
cloud. SecureSpan Gateways aggregate dependencies into policy, providing security and management
for each SOA application in the network. ESM automates migration of policy between environments,
from test through to production, from on on-premise
premise out to the cloud. It features automated, deterministic
mapping of all variable
le parameters in policy. Attributes such as IP addresses, URLs, shared cluster
variables, key names, global schemas, certificates, WSDL documents, queue names, and trust
relationships are among the long list of parameters with supported mappings. ESM facilitates
facil mapping
Copyright © 2010 Layer 7 Technologies
ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 6
Consistent Control of SOA from the Enterprise to the Cloud
of identity-declarations
declarations between gateway clusters, including both individually named identities (for
example, a username) and groups (such as a distinct LDAP grouping). It provides wizard-driven
wizard graphical
interfaces to facilitate first-time mappings, including content browsers for identity providers linked to
both source and destination gateways.
Conclusions
Cloud computing has much to offer the enterprise. Just as we have benefited from commoditization of
manufacturing,, so too will we benefit from commoditization of data center operations. The adoption of
cloud by the enterprise is inevitable because it offers an alternative to a basic cost center that will prove
to be irresistible to the executive suite. Cloud, however, will bring about new challenges. Some of these
challenges will demand changes in the way we design and develop applications. Other challenges should
build on the foundation of existing successes in on-premise IT.
Application migration is one of the later cases.. Over the past decade, SOA methodology has clearly
demonstrated the value of moving transaction security and monitoring out of the application and into
external PEPs, thus consolidating service dependencies into reusable, centrally administered policy.
poli
Customers in the
he military, the intelligence community, and the financial services sector use Layer 7
SecureSpan Gateways today to secure their applications and provide much-needed visibility into their
operational state.
Email:
info@layer7tech.com
Web Site:
www.layer7tech.com
Phone:
(+1) 604-681-9377
1-800-681-9377
9377 (toll free within North America)
Fax:
604-681-9387
Address:
Layer 7 Technologies
1200 G Street, NW, Suite 800
Washington, DC 20005
Layer 7 Technologies
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada
Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owne
owners.