Service Technology Symposium 2012 – Talks update 2

Your security guy knows nothing

This talk focused on the changes to security / security mindsets required by the move to cloud hosted or hybrid architectures.  The title was mainly as an attention grabber, but the talk overall was interesting and made some good points around what is changing, but also the many concerns that are still basically the same.

Security 1.0

–          Fat guy with keys; IT focused; “You can’t do that”; Does not understand software development.

Security 2.0

–          Processes and gates; Tools and people; Good for Building; Not as good for acquiring / mashing

Traditional security wants certainty –

–          Where is the data? – in transit, at rest, and in use.

–          Who is the user?

–          Where are our threats?

What happens to data on hard drives of commodity nodes when the node crashes or the container is shipped back to the manufacturer from the CSP?  (data at rest etc.).  The new world is more about flexible controls and polices than some of the traditional, absolute certainties.

Security guys want to manage and understand change;

–          Change control process

–          Risk Management

–          Alerts when things change that affect the risk profile

Whole lifecycle – security considered from requirements onwards, not tacked onto end of process..  This for me is a key point for all security functions and all businesses.  If you want security to be ingrained in the business, effective, and seen as an enabler of doing things right rather than a blocker at the end, it must always be incorporated into the whole lifecycle.

Doing it right – Business –Development – Security – Working together..

Business;

–          Render the Implicit Explicit

  • Assets
  • Entitlements
  • Goals
  • Controls
  • Assumptions

Development;

–          Include security in design

  • Even in acquisition
  • Even in mash ups

–          Include security in requirements / use cases

–          Identify technical risks

–          Map technical risks to business risks (quantify in money where possible)

–          Trace test cases

  • Not just to features
  • But also to risks (non functional requirements!)

Security;

–          Provide fodder (think differently, black hat / hacker thinking)

–          Provide alternative reasoning

–          Provide black hat mentality

–          Learn to say “yes”

–          Provide solutions, not limitations!

Goal – Risk management

Identify how the business is affected?

–          Reputation

–          Revenue

–          Compliance

–          Agility

What can techies bring to the table?

–          Estimates of technical impact

–          Plausible scenarios

–          Black Hat thinking

 Compliance – does not equal – Security!

–          Ticking boxes – does not equal – Security!

So the key take away points from this are that regardless of the changes to what is being deployed –

 – Work together

– Involve security early

– Security must get better at saying ‘yes, here’s how to do it securely’ rather than ‘no’

No PDF of this presentation is currently available.

————————

Moving applications to the cloud

This was another Gartner presentation that covered some thoughts and considerations when looking at moving existing applications / services to the cloud.

Questions;

–          What are our options?

–          Can we port as is, or do we have to tune for the cloud (how much work involved?)

–          Which applications / functions do we move to the cloud?

Choices;

–          Which vendor?

–           IaaS, PaaS, SaaS…?

–          How – rehost – refactor – revise – rebuild – replace – which one?

  • Rehost or replace most common, quickest and likely cheapest / easiest

You need to have a structured approach to cloud migrations, likely incorporating the following 3  stages;

–          Identify candidate apps and data

  • Application and data-portfolio management
  • Apps and data rationalisation
  • Legacy modernisation

–          Assess suitability

  • Based on cloud strategy goals
  • Define an assessment framework
    • Risk, business case, constraints, principles

–          Select migration option

  • rehost – refactor – revise – rebuild – replace

This should all be in the context of;

–          What is the organisations cloud adoption strategy

–          What is the application worth? What does it cost?

–          Do we need to modernise the application? How much are we willing to spend?

In order to make decisions around what to move to the cloud and how to move it you should define both your migration goals and priorities which should include areas such as;

–          Gain Agility

  • Rapid time to market
  • Deliver new capabilities
  • Support new channels (e.g. Mobile)

–          Manage costs

  • Preserve capital
  • Avoid operational expenses
  • Leverage existing investments

–          Manage resources

  • Free up data centre space
  • Support scalability
  • Gain operational efficiencies

Some examples of what we mean by rehost / refactor / revise / rebuild / replace;

Rehost – Migrating application – rehost on IaaS

Refactor – onto PaaS – make changes to work with the PaaS platform and leverage PaaS platform features

Revise – onto IaaS or PaaS – at least make more cloud aware for IaaS, make more cloud and platform aware for PaaS

Rebuild – Rebuild on PaaS – start from scratch to create new, optimised application.

Note – some of these (rebuild definitely, refactor sometimes) will require data to be migrated to new format.

Replace – with SaaS – easy in terms of code, data migration, business process and applications will change (large resistance from users is possible).

The presentation ended with the following recommendations;

–          Define a cloud migration strategy

–          Establish goals and priorities

–          Identify candidates based on portfolio management

–          Develop assessment framework

–          Select migration options using a structured decision approach

–          Be cognizant of technical debt (time to market more important than quality / elegant code!)

  • Do organisations ever plan to pay back ‘technical debt’?  Where Technical debt refers to corner cutting / substandard development that is initially accepted to meet cost / time constraints.

A pdf of this presentation can be downloaded from here;

http://www.servicetechsymposium.com/dl/presentations/moving_applications_to_the_cloud-migration_options.pdf

Overall another good presentation with very sensible recommendations covering areas to consider when planning to migrate applications and services to the cloud.

K

Service Technology Symposium 2012 – Talks update 1

Building Cloudy Services;

The main premise of this talk was that you need to understand the cloud paradigm when designing services that you plan to run in the cloud.  Everything you do in the cloud costs, minimise unnecessary actions and transactions.

Why is the cloud an attractive solution? – Cloud computing characteristics..

–          Uses shared and dynamic infrastructure

–          Elastic and scalable  (horizontally NOT vertically!)

–          On demand as a service (self-service)

–          Meters consumption

–          Available across common networks

Features you should consider for any services that will be hosted in the cloud; where + indicates patterns / beneficial designs, indicates ‘anti-patterns / designs that will be more challenging to run successfully in the cloud;

Failure aware;

–          Motivation – Hardware will fail, software will fail, people will make mistakes

–          + stateless services, redundancy, idempotent operations

–          stateful services, single points of failure

Event driven;

–          Motivation – No busy waiting, less synchronisation

–          + everything is a call-back, autonomous services

–          – anti patterns – chatty synced interactions, guaranteed latency

Parallelizable;

–          Motivation – horizontally scalable

–          + stateless, workload decomposition, REST/WOA (not SOAP)

–          SPOB (single point of bottleneck), synchronous interactions

Automated;

–          Motivation – Easily recreated and installed (automated provisioning and scaling)

–          + re-startable, template driven

–          complex dependencies, hardware affinity

Consumption awareness;

–          Motivation- Efficient resource usage

–          + fine grained modular design, multi-tenancy

–          Monolithic design, single occupancy

The talk concluded with the following recommendations;

–          Stop treating cloud like a generic shipping container – be cloud aware

–          Match your goals for cloud computing to essential characteristics

–          Promote patterns among development team (paralysation etc)

–          Hunt down anti-patterns in code reviews

–          Evaluate IaaS and PaaS providers based on their support for cloud aware patterns

–          Balance the patterns

Keeping these points in mind should help ensure the services and designs you migrate to the cloud have a better chance of success.

PDF of the presentation can be found here;

http://www.servicetechsymposium.com/dl/presentations/building_cloudy_services.pdf

———————————-

High Performance Computing in the Cloud

This talk was one of my favourites, and somethign I find very interesting.  Traditionally High Performance Computing (HPC) has been the preserve of large corporations, reasearch depatements or governements.  This is due to the size and complexity of computing environemtns required in order to perform HPC.  With the advent of HPC in the cloud access to this level of compute resource is becoming much more widespread.  Both the cost of entry and expertise requried to set up this type of environment are lowering dramatically.  Cloud service providers are setting up both tradtional CPU based HPC offerings, and the newer, potentially vastly more powerful, GPU (Graphics Processor) based HPC offerings.

Onto the talk;

Cloud HPC can bring HPC levels of computational power to normal businesses for things like month / year level processing, and risk calculating etc.

In order to think about how you can use HPC, look to nature for inspiration – longest chain – how small a pieces can a process be broken down into in order to parallelise it?

–          Traditional HPC – message passing (MPI), head node and multiple compute nodes, backed by shared storage.  Scale issues – storage performance (use expensive bits)

–          Newer HPC, more ‘Hadoop’ type model, data stored on compute (worker) nodes – they then just send back their results to the master node(s).

  • Look at things like hive and pig that sit atop hadoop. More difficult to set up than MPI.

–          Newest HPC – GPU – simpler cores, but many of them.

  • CPU – ~10 cores maximum.  CPU – hundreds cores (maybe thousands). 
  • Some super computers looking at 1000’s GPUs in a single computer.
  • 4.5 teraflop graphics card < $2000!!

Cloud scale vs. on premise –

–          On premise = measured by rack at a time. 

–          Cloud = lorry trailers added by simply plugging in network, cooling and power then turning on, left until enough bits fail, then returned to manufacturer..

Cloud = Focused effort! – Cloud power managed by CSP, researchers work.. No need for huge amount of local infrastructure.

How to move to the cloud, largely as with other stuff –

–          Go all in – pure cloud. –

  • MPI cluster – just have images of head and compute nodes – scale out.  10 node cluster hosted on amazon made top 500 computer list with minimal effort in setup / config.
  • Platform as a service – e.g. Apache Hadoop – based services for windows azure – just go through how big you want the cluster through the web interface – has excel interface already so excel can directly use this cluster for complex calculations!

–          Go hybrid – add compute nodes from the cloud to existing HPC solution (consider – latency issues, and security issues (e.g. VPN to the cloud)).

You really don’t care about how the technology works.  Only how it helps you work!

Dan Rosanova who gave the talk has an excellent Blog post with some metrics around HPC in the loud here;  http://Danrosanova.wordpress.com/hpc-in-the-cloud

The slides from this talk can be downloaded here;

http://www.servicetechsymposium.com/dl/presentations/high_performance_computing_in_the_cloud.pdf

Final note – GPU development is currently mostly proprietary and platform specific. Microsoft is pushing their proposed open standard that treats CPU and CPU as ‘accelerators’ it does abstraction at run time rather than compile time.  This would allow much greater standardisation of HPC development as it abstracts the code from the underlying processing architecture.

These are exciting times in the HPC world and I’d expect to see a lot more people / companies / research groups making use of this type of computing in the near future!

K

Service Technology Symposium Day 2..

Today was the second day of the Service Technology Symposium.  As with yesterday I’ll use this post to review the keynote speeches and provide an overview of that day.  Where relevant further posts will follow, providing more details on some of the days talks.

As with the first day, the day started well with three interesting keynote speeches.

The first keynote was from the US FAA (Federal Aviation Administration) and was titled ‘SOA, Cloud and Services in the FAA airspace system’.  The talk covered the program that is under-way to simplify the very complex National Airspace System (NAS).  This is the ‘system of systems’ that manages all flights in the US and ensures the control and safety of all the planes and passengers.

The existing system is typical of many legacy systems.  It is complex, all point to point connections, hard to maintain, and even minor changes require large regression testing.

Thus a simplification program has been created to deliver SOA, web centric decoupled architecture.  To give an idea of the scale, this program is in two phases with phase one already largely delivered yet the program is scheduled to run through 2025!

as mentioned, the program is split into two segments to deliver capabilities and get buy in from the wider FAA.

–          Segment 1- implemented set of federated services, some messaging and SOA concepts, but no common infrastructure.

–          Segment 2 – common infrastructure – more agile, project effectively creating a message bus for the whole system.

The project team was aided by the creation of a Wiki, and COTS (commercial off the shelf) software repository.

They have also been asked to assess the cloud – there is a presidential directive to ‘do’ cloud computing.  They are performing a benefits analysis from operational to strategic.

Key considerations are that cloud must not compromise NAS,  and that security is paramount.

The cloud strategy is defined, and they are in the process of developing recommendations.  It is likely that the first systems to move to the cloud will be supporting and administrative systems, not key command and control systems.

The second keynote was about cloud interoperability and came from the Open Group.  Much of this was taken up with who the Open Group are and what they do.  Have a look at their website if you want to know more;

http://www.opengroup.org/

Outside of this, the main message of the talk was the need for improved interoperability between different cloud providers.  This would make it easier to host systems across vendors and also the ability of customers to change providers.

As a result improved interoperability would also aid wider cloud adoption – Interoperability is one of the keys to the success of the cloud!

The third keynote was titled ‘The API economy is here: Facebook, Twitter, Netflix and YOUR IT enterprise’.

API refers to Application Programming Interface, and a good description of what this refers to can be found on Wikipedia here;

http://en.wikipedia.org/wiki/Application_programming_interface

The focus of this keynote was that making APIs public and by making use of public APIs businesses can help drive innovation.

Web 2.0 – lots of technical innovation led to web 2.0, this then led to and enabled human innovation, via the game changer that is OPEN API.  Reusable components that can be used / accessed / built on by anyone.  Then add the massive, always on user base of smartphone users into the mix with more power in your pocket than needed to put Apollo on the moon.  The opportunity to capitalise on open APIs is huge.  As an example, there are currently over 1.1 million distinct apps across the various app stores!

Questions for you to consider;

1. How do you unlock human innovation in your business ecosystem?

–          Unlock the innovation of your employees – How can they innovate and be motivated?  How can they engage with the human API?

–          Unlock the potential of your business partner or channel sales community; e.g. Amazon web services – merchants produce, provide and fulfil goods orders, amazon provides the framework to enable this.

–          Unlock the potential of your customers; e.g. IFTTT  (If This Then That) who have put workflow in front of many of the available APIs on the internet.

2. How to expand and enhance your business ecosystem?

–          Control syndication of brand – e.g. facebook ‘like’ button – everyone knows what this is, every user has to use the same standard like button.

–          Expand breadth of system – e.g. Netflix  used to just be website video on demand, now available on many platforms – consoles, mobile, tablet, smart TV, PC etc.

–          Standardise experience – e.g. kindle or Netflix – can watch or read on one device, stop and pick up from the same place on another device.

–          Use APIs to create ‘gravity’ to attract customers to your service by integrating with services they already use – e.g. travel aggregation sites.

This one was a great talk with some useful thought points on how you can enhance your business through the use of open APIs.

On this day I fitted in 6 talks and one no show.

These were;

Talk 1 – Cloud computing’s impact on future enterprise architectures.  Some interesting points, but a bit stuck in the past with a lot of focus on ‘your data could be anywhere’ when most vendors now provide consumers the ability to ensure their data remains in a specific geographical region.  I wont be prioritising writing this one up so it may or may not appear in a future post.

Talk 2 – Using the cloud in the Enterprise Architecture.  This one should have been titled the Open Group and TOGAF with 5 minutes of cloud related comment at the end.  Another one that likely does not warrant a full write up.

Talk 3 – SOA environments are a big data problem.  This was a brief talk but with some interesting points around managing log files, using Splunk and ‘big data.  There will be a small write up on this one.

Talk 4 – Industry orientated cloud architecture (IOCA).  This talk covered the work Fulcrum have done with universities to standardise on their architectures and messaging systems to improve inter university communication and collaboration.  This was mostly marketing for the Fulcrum work and there wasn’t a lot of detail, this is unlikely to be written up further.

Talk 5  – Time for delivery: Developing successful business plans for cloud computing projects.  This was a great talk with a lot of useful content.  It was given by a Cap Gemini director so I expected it to be good.  There will definitely be a write up of this one.

Talk 6 – Big data and its impact on SOA.  This was another good, but fairly brief one, will get a short write up, possibly combined with Talk 3.

And there you have it that is the overview of day two of the conference.  Looks like I have several posts to write covering the more interesting talks from the two days!

As a conclusion, would I recommend this conference?  Its a definite maybe.  Some of the content was very good, some either too thin, or completely focussed on advertising a business or organisation.  The organisation was also terrible with 3 talks I planned to attend not happening and the audience totally left hanging rather than being informed the speaker hadn’t arrived.

So a mixed bag, which is a shame as there were some very good parts, and I managed to get 2 free books as well!

Stay tuned for some more detailed write ups.

K

Service Technology Symposium Day 1..

So yesterday was day one of the Service Technology Symposium.  This is a two day event covering various topics relating to cloud adoption, cloud architecture, SOA (Service Orientated Architecture) and big data.  As mentioned in my last post my focus has mostly been on the cloud and architecture related talks.

I’ll use this post to provide a high level overview of the day and talks I attended, further posts will dive more deeply into some of the topics covered.

The day started well with three interesting keynotes.

The first was from Gartner covering the impact of moving to the cloud and using SOA on architecture / design.  The main points of this talk were understanding the need to move to a decoupled architecture to get the most from any move to the cloud.  This was illustrated via the Any to Any to Any architecture paradigm where this is;

Any Device – Any Service – Any Data

Gartner identified a ‘nexus of forces’ driving this need to decouple system component;

–          Mobile – 24/7, personal, context aware, real time, consumer style

–          Social – Activity streams, Personal intelligence, group sourcing, group acting

–          Information – variety, velocity, volume, complexity

–          Cloud services

In order to achieve this, the following assumptions must be true; All components independent and autonomous, they can live anywhere (on premise or in cloud), applications must be decoupled from services and data.

They also highlighted the need for a deep understanding of the SOA principles.

The second keynote speech was from the European Space Agency on their journey from legacy applications and development practices to SOA this was titled ‘Vision to reality; SOA in space’.

They highlighted 4 drivers for their journey; Federation – Interoperability – Alignment to changing business needs / requirements (agility) – Reduce time and cost.

And identified realising these drivers using SOA, and standards as outlined below;

Federation – SOA, Standards

Interoperability – SOA, Standards

Alignment to business needs – SOA, Top Down and Bottom up

Reduce costs – Reuse; SOA, Incremental development

Overall this was an interesting talk and highlighted a real world success story for SOA in a very complex environment.

The third keynote was from NASA Earth Science Data Systems.  This provided an overview of their use of SOA, the cloud and semantic web technologies to aid their handling of ‘big data’ and complex calculations.  They have ended up with a globally diverse hybrid cloud solution.

As a result of their journey to their current architecture they found various things worthy of highlighting as considerations for anyone looking to move to the cloud;

–          Understand the long term costs of cloud storage (cloud more expensive for their needs and data volumes)

–          Computational performance needed for science – understand your computational needs and how they will be met

–          Data movement to and within the cloud – Data ingest, data distribution – how will your data get to and from the cloud and move within the cloud?

–          Process migration – moving processes geographically closer to the data

–          Consider hybrid cloud infrastructures, rather than pure cloud or pure on premises

–          Security –  always a consideration, they have worked with Amazon GovCloud to meet their requirements

To aid their move to SOA and the cloud, NASA created various working groups – such as – Data Stewardship, Interoperability, semantic technologies, standards, processes etc.

This has been successful for them so far, and currently NASA Earth Sciences make wide use of SOA, Semantic technologies and the cloud (esp. for big data).

The day then moved to 7 separate track of talks which turned out for me to be somewhat of a mixed bag.

Talk 1 was titled ‘Introducing the cloud computing design patterns catalogue’.  This is a relatively new project to create re-usable deign patterns for moving applications and systems to the cloud.  The project can be found here;

www.cloudpatterns.org

Unfortunately the intended speaker did not arrive so the talk was just a high level run through the site.  The project does look interesting and I’d recommend you take a look if you are involved in creating cloud based architectures.

The second talk was supposed to be ‘A cloud on-boarding strategy’ however the speaker did not turn up, and the organisers had no idea if he was coming or not so wasted a lot of peoples time.  While it’s outside of the organisers control if someone arrives or not, they should have been aware the speaker had not registered and let us know rather than the 45 minutes of is he, isn’t he, we just have no idea that ensued..

The third talk was supposed to be ‘developing successful business plans for cloud computing projects’.  This was again cancelled due to the speaker not arriving.

Talk 2 (talks numbered by my attendance) was a Gartner talk titled ‘Building Cloudy Services’.  This was an interesting talk that I’ll cover in more depth in a following post.

Talks three to five were also all interesting and will be covered in some more depth in their own posts.  They had the below titles;

Talk 3 was titled ‘HPC in the cloud’

Talk 4 was titled ‘Your security guy knows nothing’

Talk 5 was titled ‘Moving applications to the cloud’

The final talk of the day was titled ‘Integration, are you ready?’  This was however a somewhat misleading title.  This talk was from a cloud ESB vendor and was basically just an advertisement for their product and how great it was for integration. not generally about integration.  Not what you expect from a paid for event.  I’ll not mention their name other than to say they seem to have been inspired by a piece of peer to peer software.. Disappointing.

Overall, despite some organisational hiccups and a lack of vetting of at least one vendors presentation, day one was informative and interesting.  Look out for more detailed follow up posts over the next few days.

K

News and upcoming events

There are quite a few interesting, and for me exciting, things coming up over the next couple of months so I wanted to provide a brief update around these and some upcoming posts I’ll be making;

1.  I’ll be speaking at the CSA summit at RSA Europe!  This is a cloud security event on the afternoon of Monday 8th October, just prior to the main conference.  I’ll be giving a presentation about SecaaS (Security as a Service) and the SecaaS working / research group covering research we have done, the previous and recent publications and where we plan to go next.  The talk may be recorded, if it is I will post a link to it here, and I’ll also be uploading my slides.  The list of speakers and more information about the event can be found here;

https://cloudsecurityalliance.org/events/csa-summit-at-rsa-europe-2012/#_speakers

2.  I’m attending the Service Technology Symposium in London on the 24th-25th September; this is an annual event covering various aspects of Cloud, SOA (Service Orientated Architecture) and Service Technologies.  Examples of the conference tracks include;

–  Cloud architecture and patterns,

– Enterprise Cloud architecture

– Service Engineering

– Governance frameworks

– REST and web services

I’ll likely be following various portions of the tracks relating to cloud architecture, patterns and governance.  Expect various posts relating what is discussed.

3.  I am attending the RSA conference Europe in London from the 9th through the 11th October.  This years conference heading is ‘The Great Cipher; Mightier than the Sword’.  The premise of this is that sharing knowledge and learning at event such as this is the key to staying ahead of the bad guys.  Looks to be loads of great talks from people like Bruce Schneier et al; again look out for various posts on what I learn and what is discussed during this conference.

4.  Security as a Service Implementation Guidance v1.0 is about to be published.  10 documents covering each of the 10 categories of service we identified last year are going to be published any day now.  This has been a pretty large undertaking bringing a disparate group of predominantly volunteer contributors together across the 10 different subject areas to produce a (relatively) coherent whole!  Although this is just v1.0 and will likely receive various updates it is a great step forward for anyone wanting to implement or just better understand Security as a Service.  I’ll provide an update post when these a officially out the door and available for public downloading.

And of course my Masters and the next steps of the SecaaS research group will also be continuing.

Lots coming up; keep checking back!

K