Cloud Security Alliance Congress Orlando 2012 pt1

This week I am at the Cloud Security Alliance (CSA) congress in Orlando.  The week has been pretty hectic with meeting people and receiving an award etc.  I have made some notes from a few of the talks so will share those here, although they are not as comprehensive as the notes I made at the RSA conference a few weeks ago.

Regarding the conference itself, this has been a bit of a busman’s holiday as I have had to take this week as annual leave due to it not being directly linked to my current day job and the fact it’s my third conference in a couple of months..  On a brighter note the CSA actually paid for me to come out here to receive my award, which was an extremely cool gesture.

It terms of organisation and content this one falls somewhere between the service technology symposium and the RSA conference, but much nearer the RSA end of the scale.  The conference is obviously a lot smaller than RSA, but was surprisingly well organised.  Content we also pretty good, a few too many vendor product focussed talks for my liking, but this is a new conference that has to be financially viable as well as interesting.  Overall I would definitely recommend coming to this next year if you have any interest in cloud security.

As with the previous conferences I’ll split the day’s notes into a couple of posts.  In order to get these up now rather than waiting until I get home and finding time to write things up, so please be understanding if some of them are not perfectly formatted or as fully explained as they could be.  I will be creating more detailed follow up posts for some of the key issues that have been discussed.

Opening Keynote 1 – The world is changing; we must change with it!

–          What do you do if you have a security incident in a faraway country?  Your Law enforcement / government has no jurisdiction.. eBay has directly indicted over 3000 people globally due to the security / incident response and investigation teams.

–          Have to create capabilities to share vital information globally

–          Computation is changing

  • Exponential data growth and big data

–          Adversary is professional, Global and Collaborative

  • We are all fighting alone

–          Threat continues to increase

–          Business environment is changing

–          Change the way you think!

  • Can we make attack data anonymous enough that is can be shared in a meaningful way to help others and improve overall understanding and security

–           Look at things like CloudCert

Computing is changing;

–          Cloud computing is just the beginning

  • Shared datacentres, networks, computers etc..

–          Driven by cost savings and need to be competitive in a global marketplace

–          Virtualisation – Mobile – BYOD (explosion of devices)

–          Increasing reliance on Browser

  • Secure Browser ‘App’ vs. URL  (Apps vs. things like HTML5)
  • Do we start building Apps / Browsers dedicated to specific tasks for critical / risky tasks such as banking, online shopping with card details etc.  This would stop XSS.

Exponential data growth – Big data

–          In 2010 humanities data passed 1 zettabyte – (1 with 21 zeros after it).

–          Estimated volume in 2015 – 7.9ZB

–          Number of servers expected to grow by 10* over the next 10 years.

Threat escalation;

  • Malware 26M in 2011 – 2.166M/mo. – 71,233/day.  73% Trojans.
  • Application lifecycle – how long will the legay apps you use be around?

–          Mobile

  • First attacks on O/S
  • First mobile drive by downloads
  • Malicious programs in App stores
  • First mass Android worm

–          Attacks built in the Cloud are invisible, and inexpensive

  • Role of cloud providers in detecting attack development – what are the implications of this – to prevent attacks CSPs would need some visibility around what you are doing..  Would you want this?

Business Environment Changes

–          Drive to innovate

  • Scrums, agile computing initiatives change the way we work
  • Security needs to work in a more agile way

–          Rapid delivery of features and functions

  • Build securely – not build and test

–          Impact of Intense, Global competition

–          SMBs are the foundation of US recovery but need help

–          Blurring of home/personal and work

Six Irrefutable Laws of information Security;

  1. Information wants to be free
  2. Code wants to be wrong
  3. Services want to be on
  4. Users want to click
  5. Even a security feature can be used for harm
  6. The efficacy of a control deteriorates with time

The implications for Cloud Security, shared infrastructures and platforms, virtualisation, the proliferation of mobile devices etc. are clear..

Even small or seemingly less interesting companies are now targets – criminals want as much information as they can get..  Again highlights the point that you will be hacked..

What do we need to do? – We need intelligence!

Director of Georgia Tech Information Security Centre, 2011 –

“We continue to witness cyber-attacks of unprecedented sophistication and reach, demonstrating that malicious actors have the ability to compromise and control millions of computers that belong to governments, private enterprises and ordinary citizens.”

We have limited resources so what should we spend our time and money on – malware defence? Mobile? Big Data?

What is needed to get where we need to be?

–          Global perspective

  • Not National
  • Not Government

–          Global Information Sharing

  • Sources
  • Solutions

–          Intelligence based security

  • Strategy and Budget

–          We MUST eliminate the obstacles!

Global Information Sharing

–          We have been trying for decades

–          How do we establish trust

  • Methods to make data anonymous
  • Attack data sharing

–          Who shares?

  • Needs of SMBs

–          Role of Governments (pass treaties around data sharing and cross boundary working)

–          Benefits go far beyond incident response

Incident response in the Cloud;

–          Where is your data (does it ever get moved due to problems, bursting within the CSPs infrastructure etc. – need very clear contracts)

–          Consider model you use – IaaS / PaaS / SaaS and what this means

–          Network control

–          Log correlation and analysis – where are these, who owns them, who can access them..

–          Roles and responsibilities

–          Access to event data, images etc.  When will you find out about issues and breaches?

–          Application functioning in the cloud – consider impacts of applications running is shared and / or very horizontally scalable environments.

–          Virtualisation benefits and issues

–          Capabilities and limitations of your provider

Get Involved!

–          CSA and Cloud CERT

  • Role critical
  • Participation
  • Partnerships

–          Government initiatives

  • US
  • EU

–          Private initiatives

Breaches can impact all of us, finding ways to work together and share data is critical.  Cloud is relatively new – we can make a difference and improve this moving forwards.

Recommendation to read the upcoming book from the CISO of Intel (Malcolm) around security that covers various areas including –  understanding the world and providing a reasonable level of protection (inc. BYOD, need to be agile etc.)

Summary;

–          Remove Obstacles

–          Build subject matter expertise

–          Global sharing is critical to success

  • Who will attack you, using what methods in 2013?
  • Where should you spend your time / money?
  • Intelligence based security

–          Security sophistication must keep pace with attack sophistication!

K

RSA Conference Europe 2012 Keynotes; day two part one

Keynote 1 – Big Data; Threat or Opportunity>

Philippe Courtot, Chairman Qualys Inc.

Big data is everywhere, not just Facebook, Google and CERN.  Organisations from the police with cameras constantly taking photos of license plates to log data from corporate systems and web sites.  Many companies are now having to deal with or plan to deal with big data in order to understand their systems, their customers, and their users.

What is driving this for ‘ordinary’ organisations?

–          Increasingly complex and virtualised IT infrastructures

–          Workload mobility

–          Bring your own device / computer

–          Cloud computing

All require increasing amounts of data to be collected and aggregated in order for an organisation to understand and ensure compliance of their environments.

Cloud computing is both aiding this by making the storage and compute power available to any business that has to deal with big data, and driving this through its scale, virtual and always on nature.

How do we ensure the security and understanding of these complex environments?  We must build security onto to overall cloud and application architecture.  Realise that the cloud has multiple ‘flavours’ from IaaS to SaaS and these are not all the same from a design and architecture perspective.  Stop talking and thinking about the cloud as just ‘the cloud’.

From an infrastructure perspective, cloud data centres are fractal, you need to understand what your assets are, but also realise many are the same for example storage and compute.  You can monitor all your compute nodes with the same method.  Monitoring needs to be in real time and to have analysis and intelligence built in.

If you are running web applications you need to understand how many you have, where they are and how they are being used.  Need to look at hardening and understanding this perimeter and correlate logs across these environments.  How do we manage code issues and potential exploits and varying methods of authentication?  Your developers working on new code and functionality, your support staff may not have enough code experience.  Do we need a new breed of operations support with reasonably in depth coding abilities?

Was Philippe referring to DevOps here?  This is newish, but not a new idea, many organisations are already using or setting up DevOps teams with the skill sets that were talked about.

Mobile devices are also driving both big data and management challenges to organisations.  We need to ensure they are all monitored and managed; Single Sign on, Privacy, Corporate policies.  How do we do this to 100s / 1000s / 1000000s of thin devices that cannot have thick very thick applications installed on them?  Cloud based services for bath device management and aggregation of the collected data can provide these solutions and scale as required.

How do we ensure security remains ‘front and centre’  as we move to the cloud and scale up?  Many existing enterprise point solutions do not scale enough or integrate well enough with the cloud.  This is being solved by providing managed security services from the cloud; Security as a Service (SecaaS).  Obviously blowing my own trumpet here, but this neatly links to my research with the Cloud Security Alliance on SecaaS!

For me the key message of this talk is that real-time ‘Big Data’ is a key element of tomorrow’s security.  We need to understand the implications of this and plan our security strategy to take advantage of this and the insight it will bring.

——-

Keynote 2 – The struggle for control of the internet

Misha Glenny – Author and Journalist

Control of the internet focusses on the debate between security and privacy vs. demand for freedom.  The US identifies four areas that need to be managed and prevented; Crime, Hactivision, Warfare, and Terrorism.

How do we balance the need for people to have freedom with the needs for safety and protection online?  Is the internet morally neutral?

Crime (cybercrime) quickly took advantage of the internet, from card detail sales sites such as Carderplanet and DarkMarket.  Carderplanet was set up >11 years ago.  Both these sites have since been taken down, but they paved the way for much more sophisticated criminal organisations.

Criminals now spend a lot of time watching organisations like SOCA and the FBI in order to understand them and anticipate their next moves.  So while those trying to catch the criminals are watching them, they in turn are being watched!  Hackers have accessed private police files to monitor current investigations and delete intelligence records etc.

There have actually been worldwide ‘carder’ and other criminal activity conferences.  For example Carderplanet organised the first worldwide carder conference in 2002.  The invite to this conference also alluded to the fact that Carderplanet had a deal with the FSB (Russian secret service) would not interfere with their ‘work’ as long as they did not attack financial institutions, and if they would perform attacks on behalf of the Russian government / secret service as required.

The lines between government spies and criminals are becoming increasingly blurred.

Currently the UK secret service (Mi6 / Mi5) is dealing with ~500 targeted attacks every day.  This is up from ~4 per year 10 years ago!  The international spend in the west on cyber security is currently around $100 Billion per year.  This is set to double over the next few years.

The west wants to work with China and Russia to improve the situation; however they want to be allowed to manage the web within their borders in any way they like if they are to cooperate.  This obviously has issues with preventing freedom of speech.

Will the Web brak down into massive intranets?  Iran has already stated its intent to disconnect itself from the Web and set up just such an internal intranet.  China and Russia want to control and largely segregate their internal users from the rest of the Web.

We need original thinking to resolve these issues!

K

Service Technology Symposium 2012 – Talks update 3

Cloud computing’s impact on future enterprise architectures 

This talk was fairly light and I didn’t make a huge amount of notes, but thought there were a few points worth noting;

Definitions and boundaries are changing.  Instead of defined boundaries we are used to around traditional architectures whether they are hosted locally or at a data-centre we are moving to much more fluid and interconnected architectures.  Consider personal cloud, private cloud, hybrid cloud, extended virtual data-centres, consumerism, BYOD etc.  The cloud creates different, co-existing architectural environments based on combinations of these models.

Consider why you should move to the cloud, which characteristics are important for your organisation such as;

–          Elastically scalable

–          Self service

–          Measured services

–          Multi-tenancy

–          Virtualised and dynamic

–          Reliability (SLAs, what happens when there are issues etc.)

–          Economic benefits (cost reduction – TCO, and / or better resiliency)

Do you understand any potential risks;

–          What are the security roles and responsibilities? –

  • IaaS – you
  • BPaaS (business process as a service) – Them
  • Sliding scale from IaaS – PaaS – SaaS – BpaaS

–          Where is your data?

  • Your business and regulatory requirements
  • Jurisdictional rules – who can access your data
    • Legal / jurisdictional issues amplified

For me some of this talk was outdated, with a lot of focus on where is your data; While where is my data is a key question, there was too much focus on the fact your data will be anywhere in the world with global CSPs, when most big players now offer guarantees that you data will stay within defined regions if you want it to.

So, what does this mean for your ‘future’ cloud based enterprise architecture principles, concepts etc.?

–          Must standardise on ‘shared nothing’ concept

–          Standardise on loosely coupled services

–          Standardise on ‘separation of concerns’

–          No single points of failures

–          Multiple levels of protection / security

–          Ease of <secure> access to data

–          Security standards to protect data

–          Centralise security policy

–          Delegate or federate access controls

–          Security and wider design patterns that are easy to adopt and work with the cloud

Combining these different architectural styles is a huge challenge.

Summary – Dealing with multiple architectures, multiple dimensions and multiple risks is a key challenge to integrating cloud  into your environment / architecture!

The slides from this talk can be downloaded here;

http://www.servicetechsymposium.com/dl/presentations/cloud_computings_impact_on_future_enterprise_architectures.pdf

———————

SOA (Service Orientated Architecture) environments are a big data problem / Big data and its impact on SOA

Outside of some product marketing for Splunk, the premise of these two talks was basically the same, that large SOA environments are complex, need a lot of monitoring and create a lot of data.

Splunk is incidentally is a great open source product for log monitoring / data collection, aggregation and analysis / correlation.  Find out more about it here; http://www.splunk.com/

SOA – great for agility, but can be complex – BPEL, ebXML, WSDL, SOAP, ESB, XML, BPM, UDDI, Composition, loose coupling, orchestration, data services, business processes, XML Schema, registry  etc..  This can generate a huge amount of disparate data that needs to be analysed in order to understand the system.  Both machine and generated data may need to be aggregated.

SOA based systems can themselves generate big data!

How do we define big data?

–          Volume – large

–          Velocity – high

–          Variety – complex (txt, files, media, machine data)

–          Value – variable signal to nose ratio

We all know large web based enterprises such as Google and Facebook etc. have to deal with big data, but should you care?  Many enterprises are now having to understand and deal with big data for example;

  • Retail and web transaction data
  • Sensor data
    • GPS in phones
    • RFITS
    • NFC
    • SmartMeters
    • Etc.
  • Log file monitoring and analysis
  • Security monitoring

The talks had the following conclusions;

–          Big data has reached the enterprise

–          SOA platforms are evolving to leverage big data

–          Service developers need to understand how to insert and access data in Hadoop

–          Time-critical conditions can be detected as data inserted in Hadoop using event processing techniques – Fast Data

–          Expect big data and fast data to become ubiquitous in SOA environments – much like RDBMS are already.

So I’d suggest you become familiar with what big data is, the tools that can be used to handle and manage it such as Hadoop, MapReduce and PIG (these are relatively big topics in themselves and may be covered at a later date)

The slides from these talks can be downloaded from the below locations;

http://www.servicetechsymposium.com/dl/presentations/soa_environment_are_a_big_data_problem.pdf

http://www.servicetechsymposium.com/dl/presentations/big_data_and_its_impact_on_soa.pdf

—————-

Time for delivery; Developing successful business plans for cloud computing projects 

This talk covered some great points around areas to consider when planning cloud based projects.  I’ll capture as much as I managed to make notes on, as there was a lot of content for this one.  I’d definitely recommend checking out the slides!

Initial things to consider include;

–          Defining the link between your business ecosystem and the available types of cloud-enabled technologies

–          Identifying the right criteria for a ‘cloud fit’ in your organisation. (operating model and business model fit)

–          Strategies and techniques for developing a successful roadmap for the delivery of cloud related cost savings and growth.

Consider the outside-in approach ( http://en.wikipedia.org/wiki/Outside%E2%80%93in_software_development ) which is enabled by four of the current game changing capabilities / trends;

–          Mobility – any connection, any device, any service

–          Social Tools – any community, any media, any person

–          Cloud – computing resources, apps and services, on demand

–          Big Data – real time information and intelligence

In a nice link with the talk on HPC in the cloud, this one also highlighted the competitive step change that cloud potentially is; small companies can have big company levels of infrastructure, scalability, growth etc.  Anyone can access enterprise levels of computational power.

Cloud computing can be used to drive a cost cutting / management strategy and a growth / agility strategy.

Consider your portfolio and plans – what do you want to achieve in the next 6 months, next 12 months etc.

When looking at the cloud and moving to it, what are the benefit cases and success measures for your business?  These should be clearly defined and agreed in order for you to both plan correctly, and clearly understand if the project / migration has been a success.

What is your business model, and which cloud service business models will best fit with this?  What is the monetization strategy for your cloud migration project; Operational, Growth, Channel etc.  Initially cloud based projects are often driven by cost saving aspirations, however longer term benefits will likely be better if the drivers are better and faster, cost benefits (or at least higher profits!) will follow.  To be successful, you must decide and be clear on your strategy!

As with all projects, consider your buy vs. build options.

Consider also;

Is IT a commodity or something you can instil with IP?  Depending on your business you will be at different places on the continuum.  Most businesses can and should derive competitive advantage by putting their skills and knowledge into their IT systems rather than using purely SaaS or COTS solutions without at least some customisation.  This of course may only be true for systems relating to your key business, not necessarily supporting and administrative systems.

Cloud computing touches many strategies – you need a complete life-cycle 360 approach.

–          Storage strategy

–          Compute strategy

–          Next gen network strategy

–          Data centre strategy

–          Collaboration strategy

–          Security strategy

–          Presence strategy

–          Application / development strategy

–          Etc.

Consider the maturity of your services and their roadmap to the cloud;

Service Management – Service integration – Service Aggregation – Service Orchestration

This talk highlights just how much there is to think about when planning to migrate to, or make use or, the cloud and cloud based services.

The talk also highlighted a couple of interesting things to consider;

Look up ‘The Eight Fallacies of Distributed Computing’ from 1993, and ‘Brewer’s Theorem’ from 2000 (published in 2002) to understand how much things have stayed the same just as much as how much they have changed!

https://blogs.oracle.com/jag/resource/Fallacies.html

http://en.wikipedia.org/wiki/CAP_theorem

Also consider your rate of innovation – How can you speed up your / your businesses rate of innovation?

The slides from this talk can be downloaded from here;

http://www.servicetechsymposium.com/dl/presentations/time_for_delivery_developing_successful_business_plans_for_cloud_computing_projects.pdf

K

Service Technology Symposium Day 2..

Today was the second day of the Service Technology Symposium.  As with yesterday I’ll use this post to review the keynote speeches and provide an overview of that day.  Where relevant further posts will follow, providing more details on some of the days talks.

As with the first day, the day started well with three interesting keynote speeches.

The first keynote was from the US FAA (Federal Aviation Administration) and was titled ‘SOA, Cloud and Services in the FAA airspace system’.  The talk covered the program that is under-way to simplify the very complex National Airspace System (NAS).  This is the ‘system of systems’ that manages all flights in the US and ensures the control and safety of all the planes and passengers.

The existing system is typical of many legacy systems.  It is complex, all point to point connections, hard to maintain, and even minor changes require large regression testing.

Thus a simplification program has been created to deliver SOA, web centric decoupled architecture.  To give an idea of the scale, this program is in two phases with phase one already largely delivered yet the program is scheduled to run through 2025!

as mentioned, the program is split into two segments to deliver capabilities and get buy in from the wider FAA.

–          Segment 1- implemented set of federated services, some messaging and SOA concepts, but no common infrastructure.

–          Segment 2 – common infrastructure – more agile, project effectively creating a message bus for the whole system.

The project team was aided by the creation of a Wiki, and COTS (commercial off the shelf) software repository.

They have also been asked to assess the cloud – there is a presidential directive to ‘do’ cloud computing.  They are performing a benefits analysis from operational to strategic.

Key considerations are that cloud must not compromise NAS,  and that security is paramount.

The cloud strategy is defined, and they are in the process of developing recommendations.  It is likely that the first systems to move to the cloud will be supporting and administrative systems, not key command and control systems.

The second keynote was about cloud interoperability and came from the Open Group.  Much of this was taken up with who the Open Group are and what they do.  Have a look at their website if you want to know more;

http://www.opengroup.org/

Outside of this, the main message of the talk was the need for improved interoperability between different cloud providers.  This would make it easier to host systems across vendors and also the ability of customers to change providers.

As a result improved interoperability would also aid wider cloud adoption – Interoperability is one of the keys to the success of the cloud!

The third keynote was titled ‘The API economy is here: Facebook, Twitter, Netflix and YOUR IT enterprise’.

API refers to Application Programming Interface, and a good description of what this refers to can be found on Wikipedia here;

http://en.wikipedia.org/wiki/Application_programming_interface

The focus of this keynote was that making APIs public and by making use of public APIs businesses can help drive innovation.

Web 2.0 – lots of technical innovation led to web 2.0, this then led to and enabled human innovation, via the game changer that is OPEN API.  Reusable components that can be used / accessed / built on by anyone.  Then add the massive, always on user base of smartphone users into the mix with more power in your pocket than needed to put Apollo on the moon.  The opportunity to capitalise on open APIs is huge.  As an example, there are currently over 1.1 million distinct apps across the various app stores!

Questions for you to consider;

1. How do you unlock human innovation in your business ecosystem?

–          Unlock the innovation of your employees – How can they innovate and be motivated?  How can they engage with the human API?

–          Unlock the potential of your business partner or channel sales community; e.g. Amazon web services – merchants produce, provide and fulfil goods orders, amazon provides the framework to enable this.

–          Unlock the potential of your customers; e.g. IFTTT  (If This Then That) who have put workflow in front of many of the available APIs on the internet.

2. How to expand and enhance your business ecosystem?

–          Control syndication of brand – e.g. facebook ‘like’ button – everyone knows what this is, every user has to use the same standard like button.

–          Expand breadth of system – e.g. Netflix  used to just be website video on demand, now available on many platforms – consoles, mobile, tablet, smart TV, PC etc.

–          Standardise experience – e.g. kindle or Netflix – can watch or read on one device, stop and pick up from the same place on another device.

–          Use APIs to create ‘gravity’ to attract customers to your service by integrating with services they already use – e.g. travel aggregation sites.

This one was a great talk with some useful thought points on how you can enhance your business through the use of open APIs.

On this day I fitted in 6 talks and one no show.

These were;

Talk 1 – Cloud computing’s impact on future enterprise architectures.  Some interesting points, but a bit stuck in the past with a lot of focus on ‘your data could be anywhere’ when most vendors now provide consumers the ability to ensure their data remains in a specific geographical region.  I wont be prioritising writing this one up so it may or may not appear in a future post.

Talk 2 – Using the cloud in the Enterprise Architecture.  This one should have been titled the Open Group and TOGAF with 5 minutes of cloud related comment at the end.  Another one that likely does not warrant a full write up.

Talk 3 – SOA environments are a big data problem.  This was a brief talk but with some interesting points around managing log files, using Splunk and ‘big data.  There will be a small write up on this one.

Talk 4 – Industry orientated cloud architecture (IOCA).  This talk covered the work Fulcrum have done with universities to standardise on their architectures and messaging systems to improve inter university communication and collaboration.  This was mostly marketing for the Fulcrum work and there wasn’t a lot of detail, this is unlikely to be written up further.

Talk 5  – Time for delivery: Developing successful business plans for cloud computing projects.  This was a great talk with a lot of useful content.  It was given by a Cap Gemini director so I expected it to be good.  There will definitely be a write up of this one.

Talk 6 – Big data and its impact on SOA.  This was another good, but fairly brief one, will get a short write up, possibly combined with Talk 3.

And there you have it that is the overview of day two of the conference.  Looks like I have several posts to write covering the more interesting talks from the two days!

As a conclusion, would I recommend this conference?  Its a definite maybe.  Some of the content was very good, some either too thin, or completely focussed on advertising a business or organisation.  The organisation was also terrible with 3 talks I planned to attend not happening and the audience totally left hanging rather than being informed the speaker hadn’t arrived.

So a mixed bag, which is a shame as there were some very good parts, and I managed to get 2 free books as well!

Stay tuned for some more detailed write ups.

K

Service Technology Symposium Day 1..

So yesterday was day one of the Service Technology Symposium.  This is a two day event covering various topics relating to cloud adoption, cloud architecture, SOA (Service Orientated Architecture) and big data.  As mentioned in my last post my focus has mostly been on the cloud and architecture related talks.

I’ll use this post to provide a high level overview of the day and talks I attended, further posts will dive more deeply into some of the topics covered.

The day started well with three interesting keynotes.

The first was from Gartner covering the impact of moving to the cloud and using SOA on architecture / design.  The main points of this talk were understanding the need to move to a decoupled architecture to get the most from any move to the cloud.  This was illustrated via the Any to Any to Any architecture paradigm where this is;

Any Device – Any Service – Any Data

Gartner identified a ‘nexus of forces’ driving this need to decouple system component;

–          Mobile – 24/7, personal, context aware, real time, consumer style

–          Social – Activity streams, Personal intelligence, group sourcing, group acting

–          Information – variety, velocity, volume, complexity

–          Cloud services

In order to achieve this, the following assumptions must be true; All components independent and autonomous, they can live anywhere (on premise or in cloud), applications must be decoupled from services and data.

They also highlighted the need for a deep understanding of the SOA principles.

The second keynote speech was from the European Space Agency on their journey from legacy applications and development practices to SOA this was titled ‘Vision to reality; SOA in space’.

They highlighted 4 drivers for their journey; Federation – Interoperability – Alignment to changing business needs / requirements (agility) – Reduce time and cost.

And identified realising these drivers using SOA, and standards as outlined below;

Federation – SOA, Standards

Interoperability – SOA, Standards

Alignment to business needs – SOA, Top Down and Bottom up

Reduce costs – Reuse; SOA, Incremental development

Overall this was an interesting talk and highlighted a real world success story for SOA in a very complex environment.

The third keynote was from NASA Earth Science Data Systems.  This provided an overview of their use of SOA, the cloud and semantic web technologies to aid their handling of ‘big data’ and complex calculations.  They have ended up with a globally diverse hybrid cloud solution.

As a result of their journey to their current architecture they found various things worthy of highlighting as considerations for anyone looking to move to the cloud;

–          Understand the long term costs of cloud storage (cloud more expensive for their needs and data volumes)

–          Computational performance needed for science – understand your computational needs and how they will be met

–          Data movement to and within the cloud – Data ingest, data distribution – how will your data get to and from the cloud and move within the cloud?

–          Process migration – moving processes geographically closer to the data

–          Consider hybrid cloud infrastructures, rather than pure cloud or pure on premises

–          Security –  always a consideration, they have worked with Amazon GovCloud to meet their requirements

To aid their move to SOA and the cloud, NASA created various working groups – such as – Data Stewardship, Interoperability, semantic technologies, standards, processes etc.

This has been successful for them so far, and currently NASA Earth Sciences make wide use of SOA, Semantic technologies and the cloud (esp. for big data).

The day then moved to 7 separate track of talks which turned out for me to be somewhat of a mixed bag.

Talk 1 was titled ‘Introducing the cloud computing design patterns catalogue’.  This is a relatively new project to create re-usable deign patterns for moving applications and systems to the cloud.  The project can be found here;

www.cloudpatterns.org

Unfortunately the intended speaker did not arrive so the talk was just a high level run through the site.  The project does look interesting and I’d recommend you take a look if you are involved in creating cloud based architectures.

The second talk was supposed to be ‘A cloud on-boarding strategy’ however the speaker did not turn up, and the organisers had no idea if he was coming or not so wasted a lot of peoples time.  While it’s outside of the organisers control if someone arrives or not, they should have been aware the speaker had not registered and let us know rather than the 45 minutes of is he, isn’t he, we just have no idea that ensued..

The third talk was supposed to be ‘developing successful business plans for cloud computing projects’.  This was again cancelled due to the speaker not arriving.

Talk 2 (talks numbered by my attendance) was a Gartner talk titled ‘Building Cloudy Services’.  This was an interesting talk that I’ll cover in more depth in a following post.

Talks three to five were also all interesting and will be covered in some more depth in their own posts.  They had the below titles;

Talk 3 was titled ‘HPC in the cloud’

Talk 4 was titled ‘Your security guy knows nothing’

Talk 5 was titled ‘Moving applications to the cloud’

The final talk of the day was titled ‘Integration, are you ready?’  This was however a somewhat misleading title.  This talk was from a cloud ESB vendor and was basically just an advertisement for their product and how great it was for integration. not generally about integration.  Not what you expect from a paid for event.  I’ll not mention their name other than to say they seem to have been inspired by a piece of peer to peer software.. Disappointing.

Overall, despite some organisational hiccups and a lack of vetting of at least one vendors presentation, day one was informative and interesting.  Look out for more detailed follow up posts over the next few days.

K