Monday, March 02, 2009

imho SOA Governance in the Age of the Cloud


--James Kobielus

Cloud computing is the IT world’s most noteworthy new platform paradigm, referring primarily to an on-demand service delivery model that may span both outsourced and premises-based platforms.

Cloud computing may be coming on a bit too strong, if we use the discomfort level of the average IT professional as our gauge. Much of the cloud queasiness stems from the fact that many such services are either partially or entirely outside the scope of enterprises’ established service-oriented architecture (SOA) governance initiatives.

Where SOA governance is concerned, cloud computing is mostly terra incognita. After several years of implementing lifecycle controls over their Web services environments, enterprise IT professionals now realize they may have to radically revamp those efforts to keep pace with users’ growing adoption of outsourced cloud services.

SOA governance, also known as service governance, refers to practices and tools for enforcing consistent development, security, performance, and other policies across the life cycle of key functions, regardless of whether they are hosted internally or provided by outsourcers. Cradle-to-grave service governance enables organizations to continuously plan, design, validate, publish, provision, monitor, modify, secure, and optimize their distributed environments. Governance ensures that services deployed in enterprise application environments—be they built on clouds, mainframes, or any other platform--comply with all applicable regulatory, policy, operational, and other baseline requirements.

Strong SOA governance the key to cloud control.

SOA governance is even more critical within clouds than in traditional computing environments. That’s because clouds can deliver almost every IT capability--from applications down to middleware, application platforms, and even storage, processing, and other hardware resources—as on-demand subscription offerings.

Clouds are to a great extent the future of SOA. Cloud computing raises the SOA stakes. bit this new environment also accentuates the risks of poor governance. To the extent that organizations use governance to harness the richness of cloud environments, they will be able to supercharge their SOA initiatives while radically improving scalability and cost-effectiveness. Leveraging distributed cloud platforms, the next-generation SOA will be more fluid, flexible, and virtualized, managing ever more massive data sets and providing the agility to handle more complex mixed workloads of transactional applications, business intelligence, data mining, enterprise service bus, business process management, and other functions.

“The cloud revitalizes the interest in governance because you are extending trust to services across premise and presumably corporate boundaries,” says Miko Matsumura, vice president and deputy chief technology officer at Software AG. “Not only is that significant from a governance perspective but the complexity of mashing up cloud services with on premise applications, integrations and infrastructure requires a framework for maintaining overall integrity.”

Clouds complicate the SOA governance picture, but it’s not as if many enterprises already have exemplary governance practices. In the real world, cloud computing, like SOA implementations, is often an ungovernable mess. By encouraging widespread reuse of scattered software components, SOA threatens to transform the enterprise application infrastructure into a sprawling, unmanageable hodgepodge of ad-hoc services. Without proper governance, SOA could allow anyone anywhere to deploy a new cloud service any time they wish, and anyone anywhere to invoke and orchestrate that service--and thousands of others—into ever more convoluted messaging patterns. In a governance-free environment, coordinated cloud service planning and optimization become frustratingly difficult. In addition, rogue cloud services could spring up everywhere and pass themselves off as legitimate nodes, thereby wreaking havoc on the delicate trust that underlies production SOA.

So, if traditional SOA governance is no bed of roses, what’s the problem, relatively speaking, with cloud services? Simply put, cloud services can circumvent even the best-laid service governance practices. By enabling rapid no-touch outsourcing of many or all IT functions, cloud services make it very difficult for enterprise IT to enforce policies governing service composition, integration, security, management, and other key functions.

Furthermore, cloud services often differ so fundamentally from enterprises’ core SOA environments that IT professionals may not be sure what governance best practices—if any--are best suited to this new environment. Many of the service-governance infrastructure components that organizations have deployed in support of Web services—such as service registries and service-level management agents and consoles—are partly or entirely lacking from many public or private cloud environments.

From the viewpoint of SOA professionals, cloud environments are potential breeding grounds for undocumented, unsupported, and non-standard application services. Users may access externally provided cloud services without first gaining IT’s approval. In addition, outsourced cloud services may not conform to any of the Web services standards—such as Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), Web Services Description Language (WSDL), and Universal Description Discovery and Integration (UDDI)—upon which IT has built the enterprise’s internal SOA.

Like creeping kudzu, rogue public-cloud-based services can become firmly ensnared in your IT environment and resist all subsequent efforts to extricate them. Once those uninvited guests are firmly ensconced in an organization’s operations, enterprise IT may find itself severely hamstrung in its attempts to monitor them or rein them into conformance with standard practices for service designing, maintaining, monitoring, securing, and versioning.

SOA governance gaps discourage cloud adoption.

In addition to these legitimate governance concerns, lack of familiarity with cloud computing is another factor that is stalling adoption of this approach among SOA professionals. Nevertheless, that reluctance may soon dissipate as cloud approaches move into the mainstream, though governance will remain uppermost on enterprise IT’s mind.

“As cloud computing and SOA continue to converge, the need for a governance strategy, and good governance technology, will become more important.” says David Linthicum, founder of the Linthicum Group, a SOA and cloud consultancy. “However, most of my clients are still kicking the tires around cloud computing, including creating strategy, and doing small projects to validate the infrastructure change. This will change quickly as we move towards the end of 2009, when more business processes, applications, and information will reside on remote clouds, and thus the need for governance increases.”

To the extent that enterprises are adopting cloud services, it is via a selective outsourcing of specific applications and infrastructure. From a “plan-time” perspective, one of the principal cloud SOA governance decisions is in determining which services to source from which public clouds, so as to avoid unnecessary duplication with internal application environments.

“The larger business decisions really are around which services should or shouldn’t be sourced in a certain way, and what level of comfort and risk aversion are acceptable,” says Dana Gardner, principal analyst at Interarbor Solutions. “One risk would be that people start jumping into cloud and external-service consumption piecemeal, without it being governed or managed centrally, or with some level of oversight in a holistic sense. The other risk might be that you are so clamped down, and you are so centralized and tightly managed, that no one takes advantage of efficiencies that become available through the cloud. You then have unfortunate costs and an inability to adapt quickly.”

Expect to see SOA governance tools enter the cloud market in droves over the next several years, addressing a pent-up demand among enterprise IT professionals. “As IT strategists look over the horizon to what they some day would like to do with cloud computing, be internal, external or hybrid, they can begin to set themselves up for success on that front now,” says Gardner. “Moving toward SOA best practices and implementing strong governance across IT services and resources is an excellent place to gain advantage over today's IT while preparing for newer models and efficiencies.”

SOA governance challenges aggravated by cloud paradigm

For all the hype surrounding cloud services, it’s difficult to find case studies of effective SOA governance in this brave new environment. Nevertheless, most public cloud service providers offer governance tools for managing applications, virtual machines, integration logic, and service levels deployed in their specific environments. And a growing range of vendors—including RightScale, Kaavo, and Hyperic—are providing tools for provisioning and managing services across various public and private cloud environments. However, as befits the immature state of cloud computing, none of the established SOA governance tool vendors supports management of cloud-based applications, transactions, messaging, or service levels.

Furthermore, even as cloud services become more mainstream, and even if they were built from the ground up with SOA governance in mind, they would still be very challenging to manage. The special governance challenges associated with cloud computing stem from some hallmarks of this new paradigm: outsourcing service providers, proprietary public clouds, virtualized resource pools, and mashup-style service creation.

Outsourced cloud-service providers.

Comprehensive SOA governance depends either on having all application, platform, and network domains under common policy-based administration—a rare occurrence in enterprise networks of any complexity—or on having instituted federation among autonomous domains. Managing SOA federations within an enterprise or B2B supply chain can be dauntingly complex. But managing SOA federations that link internal application domains with those provided by one or more outsourcers—including public cloud service providers such as Amazon, Google, Microsoft, and—depends on negotiation skills worthy of a Nobel Peace Prize.

Public cloud providers are gingerly approaching the notion of federation," computing world, says Rich Wolski, Professor in the Computer Science Department at the University of California, Santa Barbara (UCSB). and director of Eucalyptus, an open-source cloud-computing software project. "There's not much federation yet between public clouds yet, but we're starting to see some discussion of cross-cloud federation for the provisioning of resources." Wolski stresses that, as the cloud computing market works through the myriad federation issues, service providers and their enterprise customers will need to establish multi-layered agreements that span identity management, service-level management, storage management, and other key concerns.

Right now, there is little to no policy federation between enterprise SOA environments and public cloud services. Those enterprises that choose to rely on public cloud services are running a considerable risk, according to Christopher Crowhurst, vice president for architecture and business systems infrastructure at Thomson Reuters.

“You’re vulnerable to the providers performance when you run your infrastructure and applications in someone else’s cloud,” says Crowhurst. “In those circumstances, there is little onus on the public cloud provider to coordinate their scheduled downtime with subscribers. And it’s risky business to build applications that depend on services provided by the public cloud when there is no prior agreement on stability or availability of their API.” Even if the public-cloud APIs remain,” says Crowhurst, “the behavior of those interfaces may change without notice.”

Crowhurst advises enterprise IT professionals to negotiate governance features into their contracts with public cloud service providers. At minimum, he says, these contracts should include clauses under which public cloud providers must inform customers of downtime, service changes, rollouts, version deprecations, and API modifications.

Proprietary cloud-service provider silos.

One key SOA tenet is that a distributed application environment should be platform-agnostic, and so should its governance infrastructure. Under pure SOA, the external application interface—or API—should be agnostic to the underlying platforms.

However, enterprise forays into cloud computing often violate that principle by relying on monolithic public-cloud services, most of which implement proprietary APIs, development tools, virtualization layers, and governance features--though many cloud services also incorporate open SOA and Web 2.0 standards to varying degrees. Interoperability among proprietary public clouds is often non-existent, and tools for governing services across diverse public and private clouds are just now coming to market.

To enable design-time cross-cloud service portability, public cloud providers should implement open industry standards for packaging of virtualized services,” says Billy Marshall, founder and chief strategy officer of virtualization tool vendor rPath. “If we can define service compliance with an open virtualization format,” says Marshall, “then we’ll be able to define service governance that is independent of the host.”

One specification that addresses this need is the Open Virtualization Format (OVF), a Distributed Management Task Force (DMTF) draft, which defines an extensible format for the packaging and distribution of software to be run in virtual machines (VMs), such as those at the heart of public and private clouds. Though it is a key specification for portability of VMs across clouds, OVF, still in version 1.0, does not provide the full context on VM “images” that would be necessary to support sophisticated life-cycle governance of these key artifacts, says Brett Adam, VP of engineering at rPath.

Virtualized cloud-service resource pools.

Most SOA governance environments only skim the surface of enterprise IT environments: managing only that subset of services operating in the application layer, and only those Web services built on XML, SOAP, WSDL, and other core SOA specifications. By contrast, many public cloud services provide a deeper stack of on-demand services, spanning the application, software platform, integration middleware, and even hardware layers. Indeed, virtualized, grid-oriented “hardware as a service” resource pools are a popular cloud offering, providing ample processing and storage capacity. By proliferating services far deeper down into the stack, beyond the capabilities of today’s SOA governance tools, cloud environments are making unified planning, design, provisioning, monitoring, and control of all services next to impossible.

One key area where cloud governance differs from traditional SOA is in its focus on life-cycle governance of VMs. To facilitate automated provisioning of deep application and integration stacks on VMs, cloud management environments should offer prepackaged “server templates,” says Michael Crandell, founder and CEO of cloud management platform vendor RightScale. These templates embed prepackaged policy definitions that govern important life-cycle service VM governance functions, including deployment, setup, booting, monitoring, control, optimization, and scaling of VMs on one or more public or private clouds. Cloud governance even encompasses the periodic need to “decommission and throw away” old VM instances, and launch new ones in their place, says Crandell.

Indeed, this could prove to be the killer application for cloud governance: preventing the unchecked proliferation of VM instances across public and private virtualization infrastructures. This problem, sometimes known as “VM sprawl,” can present both a maintenance burden and could consume inordinate, costly amounts of cloud CPU, storage, and network resources.

A growing range of commercial management tools provide the ability to control VM sprawl across disparate hypervisors. In addition, the hypervisor platform vendors—such as VMWare, Citrix, and Microsoft, and public cloud services providers have made this the principal feature of their various management tools. Sometimes referred to as “instance management,” it’s a feature that is lacking from traditional SOA governance tools.

Mashup-style cloud-service creation.

Traditional SOA-style development is top-down. It requires considerable upfront architectural design, factoring functional primitives into platform-independent, loosely coupled service contracts that are exposed to developers through open Web services standards. It often also includes a core service catalog, such as UDDI to broker abstract service contracts, as well as tools and platforms that support key interface standards such as WSDL and SOAP.

By contrast, cloud services encourage a grassroots style—often known as Web 2.0, Web Oriented Architecture, or Representational State Transfer (REST)--of service provisioning, development, and management. Anyone with a credit card can sign up for and start accessing cloud services, which may be totally redundant with applications that their companies have deployed internally. By the same token, anyone with a browser can mash up available cloud service components into applications that may deviate significantly from corporate-standard design patterns—and probably lack the stringent security expected from enterprise-grade services. In the REST paradigm, UDDI, WSDL, SOAP, and other WS-* standards are conspicuous in their absence. So it’s no surprise that the phrase “mashup governance” gives some SOA professionals anxiety fits and causes others to double over with laughter.

But SOA governance best practices and infrastructure can be extended to cloud.

Nevertheless, cloud services can benefit from the many lessons learned by enterprise SOA governance implementers, says Tim Hall, director of SOA products for HP Software and Solutions. “Most important, you need a service catalog that maintains metadata about services and enables you to control development and construction of services and publish visibility and availability of services to consumers.” Also, federation agreements should be set up to auto-provision service definitions between public clouds and enterprises’ SOA, REST, and other application environments, says Hall. He says that after all, it’s all about the service. From a macro view, the service can be directly equated to value, its contribution to how the service helps you make money, save money, or mitigate risk.

Clearly, SOA governance is maturing as a discipline, while cloud computing—the new galaxy in which services will burst forth—is anything but. Unfortunately, the cloud arena may continue to evolve so fast over the next several years that it will be difficult for consensus service-governance practices to coalesce.

So the outlook for strong service governance in this brave new paradigm remains cloudy, but with scattered patches of promise.

[author's note: same article as in previous post...but this present post is the original manuscript, with the original structure, and original headline--jk]]