Forrester analyst James Staten interviewed more than 30 companies and concluded that cloud computing has been “wildly popular” with small businesses but large companies have been skeptical. Forrester has posted the report, “Is Cloud Computing Ready For The Enterprise?” Staten blogged about his report in the post “Are Fabrics Web 3.0?.” Larry Dignan sums up some of the notable benefits in his post, “Cloud computing hasn’t gone Fortune 500 yet, but it’s coming” as:

• Deployment speed. One big hang-up for enterprises is figuring out how to procure and provision infrastructure to support a new application. In other words, you can develop an application in two weeks, but wait six weeks to procure and then install the servers that support it. Toss in capacity planning and the time to market expands more.
• Costs. To acquire those additional servers to support a new app requires budget. Staten notes you can’t just run out and buy a server anymore.
• Businesses want fast prototypes. Corporations can deliver faster prototypes by using cloud computing services. Simply put, it makes sense to use cloud computing as a testbed for projects that don’t have a fully-baked business case. For instance, research and development projects, low priority business applications and collaboration services are all good candidates for the cloud.

Dana Gardner in his post, “Cloud computing for enterprises, work it through your head” discusses a Hiperware white paper” that “goes on to detail several enterprise computing use-case scenarios that show how cloud computing architectures and methodologies, if enterprise developers can exploit them, will rapidly advance cost-benefits.” Gardner goes on to argue that “the new neat trick will be managing how the clouds and SOAs relate and interact. And that spells more integration as a service, and more federated policy management and enforcement as a service. It’s a whole new abstraction for middleware.”

Now everything is for from perfect in the cloud world. A few things holding cloud computing back:

Take Me Back

First, in case you are not familiar with cloud computing, below is a general overview:

A few months back I did the post “Provenance and Trust” where I examined how provenance and trust relates to the relatively new IT architectures, such as cloud computing. I was recently asked to provide a few links to help people understand the concept of cloud computing. I thought I would share the information.

Let’s us return back to Larry Dignan, and a few industry leaders, at Web 2.0 Expo doing a great job discussing what they think cloud computing is:

Tim Mather, Chief Security Strategist for RSA Conference, makes the point in relation to IT architecture:

First, computing resources needed for scientific purposes are often huge, and yet infrequently used. What company wants to maintain enormous computing capabilities only to have such used infrequently? That’s simply not cost efficient. So effectively ‘renting’ computing capabilities (e.g., from Amazon’s Elastic Computing Cloud – EC2) can be much more cost efficient. (Of course, this is the same usage model employed by national supercomputer centers for years – timesharing.)

The IEEE Computer Society has posted their featured article, “What’s Hot for 2009?” Cloud computing holds the first sport. According to IDC:

The current economic meltdown coincides with the availability of rapidly maturing cloud-based services that are offered by a wide range of vendors. New mode of acquiring and delivering services promises the valuable benefit of low up-front costs combined with usage-based pricing are now available. These benefits alone will ensure that this new model will be considered as a viable alternative to traditional delivery models and as a result, IDC forecasts that the use of cloud-based services will increase in 2009 despite, and because of, the economic conditions. IDC also predicts rationalization and consolidation among the cloud vendors, with struggling vendors having strong vertical offerings being acquired by larger, more diversified players.

A Rose By Any Other Name

Taking a moment to look over at other service focused technologies, this month Anne Thomas Manes, a Research Director with the Burton Group asserted in her post “SOA is Dead; Long Live Services.” Manes stirred up the SOA marketplace when she wrote, “SOA met its demise on January 1, 2009, when it was wiped out by the catastrophic impact of the economic recession. SOA is survived by its offspring: mashups, BPM, SaaS, Cloud Computing, and all other architectural approaches that depend on “services.” Manes’ real point, to quote her is that “we should not be talking about an architectural concept that has no universally accepted definition and an indefensible value proposition. Instead we should be talking about concrete things (like services) and concrete architectural practices (like application portfolio management) that deliver real value to the business.”

David Linthicum, on his podcast, “Anne Thomas Manes and I talk about the ‘SOA is dead’ thing,” discuss her post. A most entertaining show.

Private Clouds

Linthicum also had the very interesting post, “Will SOAs morph into private clouds?” Private clouds address the need some organization shave to keep their resources within the company while moving to a more sharable computing infrastructure. Basically, private clouds work in the same way as public cloud services, but are run by the enterprises. Linthicum makes the statement, “as I look at the emerging patterns of use, I see a lot of crossover from SOA, and that’s not a bad thing.” Linthicum in his post, “It’s all architecture!” makes the point “SOA is an architectural pattern, and cloud computing is an instance of an architecture, private or not. It’s all architecture, nothing really changes other than where and how we deploy services, processes, and information management. Not much of a shift, but we do have new technology to play with, and sometimes that can be distracting.” Anne Thomas Manes identifies common patterns tp private clouds:

• shareable resources
• the ability to reuse storage, database, transactional, and business process management services
• they typically have governance frameworks surrounding them

Growing the Pie

Mikael Ricknäs has posted the article, “Battle brewing over next-generation private clouds,” where he suggests that “Enterprises could make their datacenters more efficient by turning them into private computing clouds — but the biggest winners could be companies like EMC, Cisco Systems, and Sun Microsystems, which stand to gain a larger share of datacenter spending.” Ricknas points that these large companies “will also use this as an opportunity to lock customers into their own solutions, Butler said. The message is that tying yourself to only one vendor will help you achieve the full benefits of a private cloud, according to Butler.”

Dana Gardner in his post, “Services consumers and developers must now mount pressure for cloud computing neutrality” argues that “we should also be concerned about any cloud provider exerting too much influence or setting de facto standards early on that diminish the cloud services market as a whole.” Gardner points out that the cloud computing “pie needs to grow first, and the market leaders can seek domination in some way later when the playing filed is established and perhaps somewhat level.” He suggest “making savvy choices that favor data portability, and recognizing that APIs that carry over from one hosting provider to another make for good market drivers that entice more consumers that can exercise more choice.”

Stephen O’Grady, industry analyst and founder of redmonk, in his post “Cloud Interop: The Wrap Up” discusses how he “collected some of the best and brightest in the cloud computing industry yesterday to look at what I consider to be a crucial question for the future of the industry: how do we protect customers from being locked in to platforms over which they have little or no control?” Their conclusion: you don’t. O’Grady goes on to explain, “As with any technology – cloud or on-prem – a certain degree of lock-in is borderline inevitable. Open source, as was discussed yesterday, can help, but it is no panacea. Protecting your technical investments, both now and in future, is and will remain more aspirational than achievable end.”

Security Concerns

Jon Brodkin in the Network World article, “Gartner: Seven cloud-computing security risks,” list the seven security issues Gartner identified that customers should raise with vendors before selecting a cloud vendor:

• Privileged user access
• Regulatory compliance
• Data location
• Data segregation
• Recovery
• Investigative support.
• Long-term viabilit

Thomas Bittman brought up the important matter of privacy in his post, “Virtual Cloud Privacy is Gray.” Bittman points out that variations of isolation in a cloud computing architecture. When it comes to vendors, one has to be very careful about what is
truly “private” and what is truly “shared”

The World Summit of Cloud Computing has posted videos for the two day summit. Craig Balding presentation on cloud computing and security, titled “Cloud Computing: The Need for a Security Conversation.” Balding explains his main point in his post, “IGT2008 World Cloud Computing Summit Videos Now Online” as:

We are venturing into the great unknown with layers of offerings, greater trust transitivity and new (and old) technologies meshed together in ways we frankly don’t understand. We need to progress the dialogue beyond crying out that the ‘Cloud is insecure’ or just saying ‘the biggest Cloud issue is security’ and get into the nitty gritty details. But my argument is we can only do that if the providers engage in that conversation. It’s one of the reasons I encourage Cloud providers to reach out and talk security – most large enterprises have responsibilities that mean they cannot treat the Cloud as a black box.

There was also a security panel discussion hosted by Sam Bercovici, Professor Barton P. Miller and Alexis Richardson, and Balding.

Jon Greaves, CTO of Carpathia, has made available the first chapter of their book titled “The Datacenter of the Future.” The chapter describes the evolution of security and privacy as we’ve progressed from issues such as the Morris worm of 1988 to today’s “it’s in the cloud” attitude. There are some very good insights in the chapter which explain how the past evolution of technology will influence the types of offerings ISPs and hosting companies will provide in the next decade. Ron Gula, Tenable Network Securities’ Chief Technology Officer, explains that he “answer specific questions on how cloud computing can impact our security posture, what sort of functions should/could be outsourced and how organizations can minimize their operating costs with virtual systems.”

Rich Mogull and Chris Hoff on the Network Security Podcast got into a discussion on cloud security recently. Specifically, their focus was on programming “our web applications to run on top of a cloud infrastructure, not dedicated resources in a colo or a ‘traditional’ virtual server.” A basic overview of their thoughts:

• Secure development (somewhat) breaks
• Static and dynamic analysis tools (mostly) break
• Vulnerability assessment and penetration testing… mostly don’t break
• Web application firewalls really break
• Application and Database Activity Monitoring break

Hoff in his post, “Hoff’s Upcoming VirtSec/CloudSec Presentations in 2009,” discusses how he is working on three major VirtSec/CloudSec presentations for 2009:

• Frogs-Cover The Frogs Who Desired a King
• Cloudifornication: Indiscriminate Information Intercourse Involving Internet Infrastructure
• Mozart’s “The Marriage of Figaro”: Complexity & Insecurity Of the Cloud

I mention these presentations to get you interested in visiting Hoff’s site. Hoff regularly posts on cloud computing and security.

There was a panel discussion on “Security and Risk in the Cloud” from the “Computing in the Cloud” workshop put together by the Center for Information Technology Policy at Princeton University:

On January 14, 2009, the State of the Net conference was held in DC. The audio from the session “Policy Issues Facing Cloud Computing” has been released. David Schellhase, Salesforce.com acted as moderator with the superstar panel of Susie Adams, Chief Technical Advisor Microsoft, Alan Davidson, Google, and Jim Dempsey, Center for Democracy and Technology.

Final Thoughts

In this post, I tried to address a few of the basic concepts behind cloud computing along with a few important issues and finish with some thoughts involving security. Cloud computing will bring with it advantages and disadvantages, especially in the world of security. This post has not even scratched the surface. In a two thousand word post, all I can do is to try and get you interested in the subject and then show you the way to a wealth of additional information. Like Dorthy and the yellow brick road, follow the links. They will take you to the experts that have been working with issues involving the cloud for quite awhile now.

Trust Me, I’m from the Government

When bloggers fail to gain a level of trust through linking back to original sources, you should not trust a word that is said. Anyone can write a blog for a multitude of reasons. Why should you trust these anonymous people? Why should you trust me? How exactly are you handling valuable information that you encounter in a blog whose source you may not know or be able to trust?

In the world of blogging, consider George Siemens’ distinction between collective intelligence and connective intelligence. Collective intelligence is “a form of intelligence that emerges from the collaboration and competition of many individuals”. George defines connective intelligence as “individual creation of information, ideas, and concepts which are then shared with others, connected, and re-created and extended based on the interaction.” George goes on to state, “simply, collective means blending together. Connective means connecting while retaining the original (though others may build on it in their own spaces).” Put another way, “the collective presents a melting pot of ideas. The connective represents a mosaic of ideas.” Collective, provided there are enough people telling the truth and setting the record straight, will wash out incorrect information. Connective by retaining the original thought, and source, provides a degree of provenance and trust.

Concepts and Terminologies

The issue of provenance and trust is something security has been grappling with since the beginning. Some folks may be unfamiliar with the term “provenance.” The National Science Foundation defined provenance as:

Provenance refers to the knowledge that enables a piece of data be interpreted correctly. It is the essential ingredient that ensures that users of data (for whom the data may or may not have been originally intended) understand the background of the data. This includes elements such as, who (person) or what (process) created the data, where it came from, how it was transformed, the assumptions made in generating it, and the processes used to modify it.

Tim Mather, Chief Security Strategist for RSA Conference, posted “More on Data Integrity” where he explains, “For the vast majority of data, whether structured or unstructured, data lineage is sufficient. For scientific data, however, provenance is often required. For example, exactly how were the testing results of that new drug compound derived?” Tim goes on to make the point:

By now, after four years of SOx (for many companies in the United States), practitioners have a good understanding of data lineage – tracing relevant financial data through various applications within scope of the audit within the enterprise (or through 3rdparties’ SAS 70 Type II audits where required). This includes getting answers to such questions as where did the data originate? Where was it processed, stored, etc.? However, for other uses of data, “simple” data lineage is not good enough Some data requires further knowledge of its provenance (e.g., scientific data)

Scientific Research

It is interesting to take a brief look at some of the work being done in the scientific community where reliably reproducible results should be of paramount importance. Massive experiments are being carried out using computer systems with thousands of processors producing enormous amounts of data. This data needs to be captured, transported, stored, accessed, visualized and interpreted to extract knowledge. Jon Udell has written a post, “Trident: A workflow system for doing data-intensive science with reproducible results,” which discusses Trident. Trident is a “system for authoring, running, and tracking the provenance of scientific workflows — that is, sequences of computational steps that bridge the gap between the data produced by the Neptune sensor array and the COVE visualization system.” Roger Barga, a principal architect with Microsoft’s Technical Computing Initiative, describes Trident’s provenance capabilities as:

Think about it in terms of art. For a given piece of art, we’re able to establish through authorities that it’s original, where it came from, and who’s had their hands on it through its lifetime. Provenance for a workflow result is the same thing. Minimally we want to be able to establish trust in a result. If you think about how that happens, it often starts by considering who wrote the workflow. So with Trident you can click on a result and interrogate the history of the workflow: who wrote it, who reviewed it, who revised it, when it first entered the system.

We do versioning as well, so you can look at an old result and know that it was created by an old version of the workflow. And then have the ability to run the new version on the old dataset to see if it makes a difference.

We capture execution provenance so you know exactly how your result was created. We capture provenance on the workflows themselves so you know who created them, and who’s touched them.

You might be thinking about creating a community, where you click on a workflow and can say: “OK, I trust that post-doc.

In the area of networks, Wenchao Zhou , Eric Cronin, and Boon Thau Loo wrote the paper “Provenance-aware Secure Networks.” The paper examines network accountability and forensic analysis as a means of “performing network diagnostics, identifying malicious nodes, enforcing trust management policies, and imposing diverse billing over the Internet.” The paper:

1. Shows how network accountability and forensic analysis can be posed generally as data provenance computations and queries over distributed streams.
2. Proposes a taxonomy of data provenance along multiple axes, and show that they map naturally to different use cases in networks.
3. Suggests techniques to efficiently compute and store network provenance, and provide an initial performance evaluation on the P2 declarative networking system with modifications to support authenticated communication and provenance.

New Architectures

Let us examine how provenance and trust relates to the relatively new IT architectures, such as cloud computing. Just for a little background, and because I really like the video, below are a few IT leaders at Web 2.0 Expo providing a great job discussing what they think cloud computing is:

Tim makes the point in relation to IT architecture:

First, computing resources needed for scientific purposes are often huge, and yet infrequently used. What company wants to maintain enormous computing capabilities only to have such used infrequently? That’s simply not cost efficient. So effectively ‘renting’ computing capabilities (e.g., from Amazon’s Elastic Computing Cloud – EC2) can be much more cost efficient. (Of course, this is the same usage model employed by national supercomputer centers for years – timesharing.)

The article “Data provenance in SOA: security, reliability, and integrity” adds some additional insight into provenance and security. The article states, “consider data provenance, which concerns security, reliability, and integrity of data as they are being routed in the system…In an SOA system, however, one also needs to consider origins and routes of data and their impact, i.e., data provenance.” Consider that SOA is just an architect where basically you operate similar to a distributed computing system. In the end, it is all about the data, making the same points applicable to a distributed environment.

Returning to the issue of trust. There are multiple factors that may affect the data trustworthiness. The whole Internet is grappling with this idea and how to assigns trust scores to both data and data providers. Such trust scores represent key information based on which data users may decide whether to use the data and for what purposes. The paper, “An Approach to Evaluate Data Trustworthiness Based on Data Provenance” proposes a “data provenance trust model which takes into account various factors that may affect the trustworthiness and, based on these factors, assigns trust scores to both data and data providers. Such trust scores represent key information based on which data users may decide whether to use the data and for what purposes.”

In the article, “On Homeland Security and the Semantic Web: A Provenance and Trust Aware Inference Framework” a different approach that attempts to discover and evaluates semantic associations of information provided by many different sources. The paper describes, “how trust and provenance can be represented/obtained in the Semantic Web and then be used to evaluate trustworthiness of discovered semantic association and to make discovery process effective and efficient.”

Final Thoughts

In this post we have discussed the ideas of provenance and trust. Everything old is new again. New IT architectures were related to these basic ideas to demonstrate that no matter how cutting edge the IT ideas might be, everything gets back to the basic concept of trust. One cannot trust any information unless one know who or what created the data, where it came from, how it was transformed, what assumptions were made in generating it, and what processes were used to modify it.

Walter Dykas, senior researcher at the Oak Ridge National Laboratory (ORNL), recently said to me:

Security comes down to protecting your infrastructure. To do so, you must:

1. Enforce access rights at the lowest level possible.
2. Secure the trust infrastructure.
3. Implement assurance verification.

You can never have (1) without (2). If you have (2), (1) will follow. Finally, (3) is just watching the watchers. ‘Trust infrastructure’ is broad enough to cover technology and people. For example, an organization must have infrastructure for trusted communications and authorization, which again infers technology and people.

The The Open Group’s Jericho Forum agrees with Walter (see June’s Security Roundtable podcast for a good discussion on the group). The Jericho Forum argues that traditional network boundaries are disappearing in favor of complex online interrelationships that require more innovative security approaches. Deb Radcliff in her article “Information AND network protection: Finding the right mix“, explains how the group “advocates assigning priorities to data, focusing on the most critical areas, and applying secure communications and encryption around these classified resources.” Steven Bellovin, professor of computer science at Columbia University and co-creator of the Usenet online discussion system, summed it up in this way, “We need to think about the problem in a different way because what we’re doing [with perimeter protections] isn’t working. What we need is a more data-centric architecture with strong protections around the important data because security holes in the perimeter are inevitable.”

It is like my dear old dad would say, “You are not going to win any games if you don’t have the fundamentals down.” Of course he was talking about football, but the same rules apply to IT. Ori Brafman and Rom Brafman, authors of “Sway: The Irresistible Pull of Irrational Behavior” spoke at the Churchill Club with basically the same message. People due to fear and other motives move away from what they know are the fundamentals with disastrous results. ZDNet has posted this very interesting discussion.

One needs to keep focused on the fundamentals of protecting one’s infrastructure. Otherwise any attempts to implement the latest architectures and technologies is doomed to failure. In today’s world we are all interconnected and regrettably folks can be quite hostile. The Native Americans after Columbus’ landing learned this lesson the hard way. With that said, have a great Columbus and Native Americans’ Day.

I am going to be hitting the road at the end of this week. That means, catching up on podcasts while I drive, and doing some reading while in the hotel room. I pulled a few topics of interest and printed them out. In case they might interest others, I have included the links below. I am going to be attending the Cybersecurity Summit 2007 for NSF Large Research Facilities. You probably did not think the monastery would qualify as a large NSF research facilities. Well, it doesn’t. But we do advise those troubled souls in the matter of security enlightenment. Now I have not attended one of these summits before, so it should be interesting. If you happen to be attending, look for me. I’ll be one with the big notebook of reading material.

Defense in Depth

• A Layered Approach to Security
• Defense in Depth: Foundations for Secure and Resilient IT Enterprises

Security Baseline

• COBIT Security Baseline

Information Security Governance

• Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition
• Why Information Security Governance Is Critical to Wider Corporate
• Information Security Governance: Motivations, Benefits and Outcome

Information Security Hormonization

• Information Security Harmonisation

SOA Security

• Understanding SOA Security Design and Implementation
• SOA: Redrawing the Business Processes
• SOA Security in Action
• Interview with Gary McGraw, CTO of Cigital, Inc.
• Managing Enterprise Risks: Security Considerations in the Deployment of SOA
• SOA raises security worries
• SOA Security Overview
• SOA Security, Identity 2.0 and Convergence
• SOA Security and Enterprise Reuse
• SaaS and SOA: Together Forever
• Security Concepts, Challenges, and Design Considerations for Web Services Integration
• SOA Meta Model
• Another SOA Meta Model

Do you remember the flying car? I know the people from my generation grew up with dreams of one day having such a fantastic automobile. Over on Technorama, one of their regular contributors, Bruce Barr, points out an article by Julia Laton, “Are We on the Brink of the Flying Car?” According to the article, an Israeli company names Urban Aeronautics is claiming they will have a flying car on the market by 2012. The craft is designed to fly for up to two hours on one tank of gas, at up to 155 miles per hour (250 kph) and 12,000 feet (3,700 meters). It will cost $1.5 million. Here is the interesting thing, currently it can only hovered just 3 feet (1 meter) above the ground.

Mike Rothman, author of the Pragmotic CSO, and blogger of Daily Incite had an interesting point in his Pragmatic CSO Weekly posting. He, like many security professionals, have spent this week attending the RSA Conference. Mike writes:

Which goes to the topic of this week’s pep talk – don’t believe everything you hear. For those of you familiar with my research at Security Incite – you know I’m pretty cynical about pretty much everything. I’ll admit I was born cynical and sarcastic, but being in the security and networking business for the past 15 years hasn’t really helped soften my edge.

That was very apparent on the show floor, where vendors were resorting to all sorts of tricks (including of all horrors, booth babes) to gain the attention of potential buyers. And once they have your attention, their objective is to keep it. And sometimes they make claims on the show floor that don’t necessarily hold up in the lab. Empty claims don’t help you to do your job any better.

I would also add to Mike’s statement, do not include facts that you cannot backup in a presentation. This came up this week. A gentleman was preparing a presentation and wanted some facts on the cost savings of ITIL. Wouldn’t you know, he got a response from the ITIL expert within his company quoting itSMF, “Up to 70% reduction in downtime, 1000% return on investment, and time savings of 50%.”

If I was in the audience during this presentation, upon hearing such I quote, I would stop believing the presenter. The use of the word, “up to” makes any claim possibly true while making the statement meaningless. You could have “up to” 99% reduction in downtime and a trillion percent return on investment. Chances are real good that you won’t. When I go into a presentation, the last thing I want is to be caught off guard. There is always someone who has read other numbers/statements and they will want your response. If you cannot respond to that person, you will lose the rest of the audience. The 70% reduction in downtime and 1000% return on investment, are such amazing numbers, it rings of hype. If the audience thinks your presentation is full of hype, the credibility of the presentation suffers.

I have mentioned this site before, but I have to point to it again. The IT Skeptic site goes after the hype around ITIL. Concerning the claims around ITIL, the IT Skeptic wrote an interesting posting, “The Emperor has no clothes. Where is the evidence for ITIL?” There is even a podcast.

I am not saying one should believe without question what the IT Skeptic posts. Don’t believe the IT Skeptic, the itSMF, the folks at RSA, or someone telling you the flying car is just around the corner. Just dig a little before quoting numbers. When I pointed to the IT Skeptic I got the comment back about him being a “ghostwriter.” Focus on the message, not the messenger.

Imagine if we could invent a tablet that one could take to the RSA conference. It is capable of speech recognition and everything someone said is translated immediately into written words. Then the tablet can add links to the subject areas all the way back to the sources. As the salespeople talk, you could checks your table to see where all these numbers and ideas originated. That is better then a lie detector. I would trade in my flying car for such a device. One of the great things about blogs is that they can include links which one can easily follow to the source. Alot of salespeople would be out of work if we could do the same thing to the spoken word. Some fast talking executives would be demoted back to the mail room. In the meantime, do your homework and check those numbers. If it sounds too good to be true, it is.

There are alot of areas in security where I can argue both sides of an issue. I am using ITIL only as an example. Any area of business where you are changing the fundamental way you do business might prove difficult to quantify ROI. A discussion of metrics involving SOA can be found on Dana Gardner’s BriefingsDirect titled, “Panel of IT analysts look to the movie business to explain SOA’s relevance and ROI.” One of the great things about Dana Gardner podcasts is that he makes full transcripts of the shows available. The panel starts off with a discussion on a statements that Verizon had come out that with a stable of 500 services that they were expecting to yield $20 million in savings over two years.

It is a valid argument to point out that when you are changing the fundamental way of doing business, it complicates how you might determine ROI. In relation to SOA, Steve Gorone raises the question, “How do you actually quantify what your ROI is, given the advantages of using an SOA approach? I’ve listed the main reasons why people would want to do SOA, in terms of the advantages, and they basically break down to four major areas.” The four reasons are:

1. The reuse of IT assets
2. Reduce the expense associated with doing the application integration test they normally would have to do
3. Meeting compliance requirements
4. The issue of how agile do you make your business

Of course, my main interest in SOA comes from the last two claims of compliance and agility. Another key point that interest me is the idea that Tony Baer points out:

If there is one benefit that SOA delivers, it’s that the value becomes the service rather than the plumbing. If you think about the way we’ve traditionally developed functionality or integrated systems, we’ve had to spend inordinate amounts of time in the plumbing and maintaining it. SOA theoretically, if it’s done right, standardizes the plumbing, makes everything declarative, so you take out the guess work. The result is that if you look at outsourcing, SOA separates the plumbing from the service. Therefore, what is probably ideal for outsourcing would be the plumbing, because that’s where the value is and that’s not where IT organizations should be spinning their wheels.

That quote from a security point of view is very interesting. Alot of our efforts have been on the plumbing. While there is a great need to secure the plumbing, what is being done to secure the services?

The point is, IT is not the same as manufacturing. Metrics generally are not as simply as the replacement of one machine with another that can produce more widgets at less power consumption. For example, how does one measure the value of agility? If you fail to be able to adapt and provide one of the latest web 3.0 services, how many customers will you lose? How do you measure customer satisfaction because it was easy for the customer to get to you? Present information and selling points, but also be aware of the arguments both ways. This is the only way to insure that you won’t be taken off guard. Plus, it shows that you are not just a salesperson. You truly do know the subject matter.

“The Blind Men and the Elephant” is a classic fable. As the world of IT becomes more complex, the people in IT become more specialized. People become so focused in their areas, they lose the ability to see the big picture. Life becomes the fable. The fable is about a group of blind men who came upon an elephant. The first man, feeling the enormous leg, said, ‘This thing is very much like a tree.’ The second, standing near its ear, reached up and said, ‘This is a winnowing fan!’ ‘No,’ said a third as he grasped the moving trunk. ‘Be careful. This creature is a serpent.’ ‘I disagree,’ said a voice at the other end. ‘It is only a frayed piece of rope’. The last man commented, ‘You are all wrong. I have felt this thing on both sides and it is just a wall.’”

Let’s talk about two parts of the elephant, open source software (OSS) and service-orientated architecture (SOA). John Grimes, assistant secretary of Defense for networks and information integration/chief information officer, told the Network Centric Warfare conference in Washington, D.C., on Jan. 23, “As we go to SOA architecture, we keep the applications behind and share the data on the network, and it becomes very critical that data is understood by everyone.”

“It just eats our lunch every time we get into a proprietary situation, because it’s noncompetitive,” Grimes stated explaining that DOD will increasingly move to SOA because it benefits information sharing and acquisitions. Federal Computing Weekly has an article, “DOD’s Grimes: Our focus is on data” by Josh Rogin. In another article in FCW, Bob Brewinn wrote an article, “DISA Buying into SOA ‘Big Time’.” John Grimes is quoted as stating, “DOD spends too much time and money acquiring individual, highly-tailored systems.” He continues, stating, “It’s time for the department to stop buying things and start buying services.”

In an article in the Linux Insider title “Iona Tightens Open Source, SOA Bond,” Dana Gardner writes:

Open source and SOA are increasingly joined at the hip. These twins are developing in tandem, not sequentially, which is giving CIOs and architects a variety of choices for picking and choosing the projects and products that make up their SOAs.

Darryl K. Taft writes an article for eWeek title, “Web Services, SOA, and Open Source Converge.” Hub Vandervoort, chief technology officer at Sonic Software Corp., Bedford, Mass., was on a panel of heavy hitters at the Web Services/SOA on Wall Street conference on Feb. 27. Vandervoort makes the point that, “SOA as a concept will challenge the whole concept of one throat to choke. SOA means federation and is built from federated components that are boundless.”

Han Zaunere, president of New York PHP, an organization for the Apache, MySQL and PHP community in New York, stated, “”In the long run, as far as looking at what you get, I think open source is more valuable.” He points out, “If I download [licensed] software and in two years it’s obsolete, I have no return on that. When you buy open-source support, the software is secondary.” Hiram Chirino, co-founder and director of architecture at LogicBlaze Inc., of Marina del Ray, Calif., believes that open-source software allows users to scale their systems more easily and cheaply because they can simply add more servers without having to worry about licensing costs.

Bob Sutor has written, and podcasted, extensively on the topic of open source. His four part series, is very interesting. I would recommend folks take a few moment to read it, paying particular attention to part 4, “The SOA Connection.” He covers:

• Part 1: Standards
• Part 2: Software
• Part 3: Open Source Software
• Part 4: The SOA Connection

Analyst at Forrester have written a report, “The Future of Enterprise Software.” Andy McCue has written the article “Open Source and SOA to Redefine Software Landscape” where he summarizes the report. The report stated: “Too many IT pros today reject the new ideas behind the four horsemen as ‘not ready for prime time’. Blanket dismissals of new ideas are defensive; IT executives should be looking instead for ways that the four horsemen can drive productive changes for business. These forces will define the future of enterprise software.” The “four horsemen” of commoditization are service oriented architecture (SOA), open source, software as a service and offshoring. Forrester predicts the four horsemen will lead to cheaper prices and a radical change in enterprise software landscape of the future.

SOA is ultimately about integration. It can be integration of open or closed source software packages. SOA brings agility to an enterprise. CEO and CIO are beginning to question the wisdom of getting locked into a software solution. When you take a solution, such as SAP, it is a solution that matches a complex problem with a complex solution. Annrai O’Tool, CEO of Cape Clear, tells the following story on Dana Gardner’s SOA trends webinar:

We have a couple of ex-PeopleSoft people working with us at Cape Clear, and they tell a great story about how they used to do sales pitches against SAP. They went to the customer with a small cup of quick-drying cement and poured it into a mold. By the time they finished the presentation, the cement is set and it has SAP written on it. They then say, “There you go, that’s the deal with SAP.” It is easy to design, but once you get your business process done, it is embedded in cement.

O’Tool points out that for many businesses, the business process is very difficult to change. He goes on to say, “SOA is all about how to use that application in new and more transparent ways that are easier to change and that deliver agility.”

Commercial solutions can have high up cost and high continuous operation costs. Even changing out hardware can end up costing a business significantly due to software licenses. In this rapidly changing IT environment, a company can easily find itself with a solution that no longer fits its business need, but it has too much invested to change course. Even worse, in time their software solution might no longer be actively developed as software companies change directions or go out of business. OSS helps reduce some of these risks. While there are costs, more of the expenditures goes into the companies own people. This helps create a work force better adapted to face a changing IT environment. Hub Vandervoort said it best when he stated “when you buy a software license you are paying for past innovation; when you buy open source, you’re investing in future innovation.”

IONA broadens open source approach to SOA with Celtrix Enterprise initiative

Let me quote the accompanying blog:

IONA Technologies on Monday introduced a broader Apache-based set of open source SOA initiatives with the introduction of Celtix Enterprise, which expands the ESB offering to include other open source technologies including Qpid, which implements the Advance Message Queuing Protocol (AMQP) specification, and ActiveMQ, the JMS 1.1-based messaging middleware that uses AMQP. Celtix Enterprise also includes Eclipse-based tooling supporting JBI, Tomcat, and Spring.

I like the idea. Open Source has become more and more popular as the business model on software has shifted. People now tap into the open source community to help develop their software and move towards offering services to help support the software. This is different than the traditional method of in house development with the hope to make money off the sales of software. Though, alot of company that developed software really made their money providing services and support, even when they were selling the software. It is an interesting model.

Introduce a new architecture based on services and it just seems that we are moving in the same circles. SOA is about the architecture. There is alot of cost involved and managers are looking to defray the cost wherever they can. Add to this an architecture which is all about not getting locked into a particular proprietary solution, but being able to communicate between different services. It is all about being agile. Changes are occurring so rapidly, you have to be able to adapt quickly. Investing in your people help create an organization that can adapt to whatever comes tomorrow. If a company only invests in proprietary solutions, the company one day will find itself to be similar to the Titanic; unable to change course quick enough to avoid the unforeseen perils that surely will come its way.

Listen to the podcast.

Of course, when it comes to SOA, we have to see what Dave Linthicum has to say about OSS SOAs:

Open Source ESBs Have Emerged

Truthfully, I don’t much about SOA, though I keep listening and reading. I do know to listen what Dave has to say, even if he doesn’t understand open source. So, keep an eye on Mule. The bottom line is that currently developers who are building SOAs are not hardcore geeks. Sorry, Dave. The less technical guys require modeling tools with features to work collaboratively in conjunction with non-technical people. Commercial companies deliver this. While there are open source solutions, there simply are not many people who can implement them. Companies, while wanting to reduce the cost of the SOA software, lack the personnel. This seems like prime ground for consulting companies. Traditional close source companies are going open source, sort of, and offering consulting and support towards this end. The open solutions are out there and are being developed ever day. It is an interesting area to keep an eye on.