Friday, 14 November 2014
Separation of Business logic and Integration logic
Most of the large Integration projects comprise of multiple teams like service teams, UI teams and Integration teams. When a certain complex business capability is being built it would be composed of business logic , application logic and integration logic which then would picked up by the respective teams for implementation. However in real world situations often there is ambiguity on this as there no clear definition within the enterprise of what constitutes a business logic or a integration logic.In fact, the choice may depend on the nature of the enterprise or even a particular situation within the enterprise
We can define Business logic as the logic that refers to the business process requirement which will be used to generate an output or consume an input. Business logic ideally resides in the end systems.
An Integration Logic on the other hand refers to the transformation and modification requirements which arise when different systems communicate with each other. Integration logic is typically owned by IT.
To distinguish between the two better one must understand the difference between syntactic logic and semantic logic.
Business logic creates, reads, updates, or deletes the semantics associated with achieving business goals. Conversely, integration logic only modifies syntax associated with achieving the necessary inter connectivity.
Let take an example where you order a pizza and your order is routed to to nearest branch based on your geographical location. Each branch implements its own version of OrderPizza sevice (Say they were separate pizza delivery stores which have been bought over by large pizza chain)
Some of these services take your postcode as <Postcode><number>1234</number><letter>AB</letter></Postcode> where as some simply take <Postcode>1111AB</Postcode>
This is typically a syntactic logic and needs to be solved in Integration layer. A semantic logic on the other hand would be that if the pizza is not delivered within a stipulated time you get a discount as this logic is related to the core business.
However now lets look at another situation. The pizza ordering system must now check if the nearest pizza store is closed and if so it must place the order to the next nearest one or the next one till the distance between delivery point and the pizza store exceeds certain specified distance.
Though this does not change the semantics of ordering the pizza but this logic is associated with a business rule and not merely an IT logic. Moreover it cannot be realized by one service provider as the granularity of the business task is larger than any one provider interaction offers.
For such task the Integration layer must be further be split into ones that IT owned non-semantic logic and Business owned non-semantic logic. Typically the former is realized through ESB and later though a orchestration layer. A good architecture should make clear separation of these responsibilities.
Friday, 2 May 2014
How to build Identity and Access Management In Cloud
Ask a CIO what her top concerns are with cloud computing , and he's almost certainly going to list security as his #1 concern. Cloud Security is a very big issue. At least, it's a very big perceived issue. Though there are several aspects to Cloud security one key aspect is identity and access management. . In case of multiple clouds system administrators spend too much time to create cloud accounts for new users and may forget to terminate accounts for ex-users. User activity without oversight or authorization leads to risk of sensitive data loss and compliance violations. Systems with sensitive or regulated data may be vulnerable without additional layers of protection.
Federated Identity management is therefore becoming increasingly important as it allows companies to enforce access control policies across multiple applications in a consistent manner, which provides an overall reduced cost of implementation.
As enterprises shifted toward cloud-based services at the turn of the century and software-as-a-service (SaaS) applications became more prevalent, the domain-based identity and access management mechanisms began breaking. This shift created a new need for a secure connection to multiple applications outside of the enterprise perimeter and transformed the perception on identity management.
As enterprises continue to adopt cloud-based technologies outside of their network perimeter, the need for reliable identity management solutions becomes more vital. To address these new use cases, organisations planning to adopt cloud architecture must also create a roadmap to move to new ways handling identity and access with cloud.
A good starting point for building a cloud security architecture is the security architecture reference in TOGAF.
A TOGAF iteration should then be “Cloud Identity and Access”. The Enterprise Architecture team drives the programme and works collaboratively with both the business and the IT department.
For purpose of this blog we limit the scope to identity and access management issues of cloud security.
As enterprises continue to adopt cloud-based technologies outside of their network perimeter, the need for reliable identity management solutions becomes more vital. To address these new use cases, organisations planning to adopt cloud architecture must also create a roadmap to move to new ways handling identity and access with cloud.
A good starting point for building a cloud security architecture is the security architecture reference in TOGAF.
A TOGAF iteration should then be “Cloud Identity and Access”. The Enterprise Architecture team drives the programme and works collaboratively with both the business and the IT department.
For purpose of this blog we limit the scope to identity and access management issues of cloud security.
In the Preliminary Phase a cloud
security policy should be in place. A carefully crafted cloud security policy
document should answer these questions
- How well does
the cloud provider’s security policies and procedures align with the
organisation?
- For
applications in the cloud, who within the organisation is allowed to
modify settings on the cloud that affect performance?
- How
should administrative privileges to the cloud provider be managed?
- How user
consent must be taken care of for storing his data in cloud
- How interoperability of multiple identity providers can be managed?
- How to provide consistent experience across context?
- How user data should and access should be removed once the user is no longer a part of the organisation?
In Architecture Vision Phase define necessary security-related management sign-off milestones of this architecture development cycle. This must also include sign offs with cloud service providers and identity and access providers and determining trust boundaries
Determine and document applicable disaster recovery or business continuity plans/requirements
Any existing disaster recovery and business continuity plans must be understood and their relationship with the planned system defined and documented.Disaster recovery would involve replicating an entire site,
including the identity repositories, in addition to replacing
hardware or subcomponents.
Identify and document the anticipated physical/business/regulatory environment(s) in which the system(s) will be deployed. All regulations regarding storage of user information in cloud must be clearly understood
In Phase B:Business Architecture set up the businesses process for identity and access management
Identify roles and actors related to user and authorization management.
Determine access levels of users.
In Phase C: Data Architecture, Identity repositories, in particular may be an issue for cloud computing as it pushes information back into siloes, that IT may not have direct access to. It is also recommended to determine user data and privacy classification and to prioritise the risk criteria of what goes in the cloud and what stays on-premise.
During Phase E and F there is a need to focus on these key aspects of Identity and access management
Directory: Identify a central directory for linking user groups to SaaS.
Access: Integrate externalized access technology with your centralized directory.
User provisioning & de provisioning: The provisioning of new accounts and user profiles
Federation: A common set of policies, practices and protocols in place to manage the identity and trust into IT users and devices across organizations
Audit: Track user access and actions
A sound architecture will enable re usability of identity and access services for all use cases in public, private and hybrid cloud models. Federation architecture is the first step to identity management to evolve for the cloud to
become a trusted computing platform. Organizations thus must have clear roadmap for it before embarking into cloud computing.
Thursday, 23 January 2014
Cloud Computing Standards and how they map to a Cloud Reference Architecture
There is currently a lot of discussion about the role of standards in the cloud, along with a large amount of activity in standards development for the cloud. While some parties see the cloud as something completely new that requires an entirely new set of standards, other parties see the cloud as a technology based on existing technologies that already have standards.
While there are many standards that were developed in support of pre-cloud computing technologies, such as those designed for web services and the Internet, which also support cloud computing, many new cloud computing standards have emerged in recent years and several others are still in draft form.
These standards are now being developed in specific support of cloud computing functions and requirements.. There are many organisation operating in this space but it does not appear there is conscious effort to avoid duplication and contradiction.It is unlikely an all encompassing standard will emerge in cloud.
Based on the conceptual reference model of Cloud Service provider defined by NIST I try to catalogue some cloud related standards and how they map to the reference model. While many standards are generally relevant to these cloud computing areas, the following sections will map those specifically relevant to cloud.
Cloud Service Management includes all of the service-related functions that are necessary for the management and operation of those services required by or proposed to cloud consumers.As illustrated cloud service management can be described from the perspective of business support, provisioning and configuration, and portability and interoperability requirement.
Name of the specification
|
OASIS Public Administration Cloud Requirements (PACR)
|
Category
|
Provisioning/configuration::SLA management
|
Purpose and function of the specification
|
Set of common required functional elements, and measurable criteria or qualities that should be present in cloud
|
URI for the normative text of the specification
| |
The name of the SDO that generated/authored/hosted the specification
|
Organisation for the Advancement of Structured Information Standards (OASIS)
|
Which of the categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Name of the specification
|
OASIS Cloud Application Management for Platforms (CAMP)
|
Category
|
Provisioning/configuration
|
Purpose and function of the specification
|
Management of resources within the Platform as a Service domain.an interoperable protocol that cloud implementers can use to package and deploy their applications.
|
URI for the normative text of the specification
| |
The name of the SDO that generated/ authored/ hosted the specification
|
Organisation for the Advancement of Structured Information Standards (OASIS)
|
Which of the categories of Cloud services does the standard address?
|
PaaS
|
Name of the specification
|
Cloud Infrastructure Management Interface
|
Category
|
Provisioning/configuration
|
Purpose and function of the specification
|
Management of resources within the Infrastructure as a Service domain. model and protocol for management interactions between a cloud Infrastructure as a Service (IaaS) Provider and the Consumers of an IaaS service
|
URI for the normative text of the specification
| |
The name of the SDO that generated/ authored/ hosted the specification
|
Distributed Management Task Force (DMTF)
|
Which of the categories of Cloud services does the standard address?
|
IaaS
|
Name of the specification
|
Topology and Orchestration Specification for Cloud Applications (TOSCA)
|
Category
|
Interoprability/Portability
|
Purpose and function of the specification
|
Provide interoperable description of application and infrastructure cloud services, the relationships between parts of the service, and the operational behavior of these services
|
URI for the normative text of the specification
| |
The name of the SDO that generated/authored/hosted the specification
|
Organisation for the Advancement of Structured Information Standards (OASIS)
|
Which of the categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Name of the specification
|
Open Virtualization Format Specification
|
Category
|
Interoperability/Portability::System Portability
|
Purpose and
function of the specification
|
An open, secure, portable, efficient
and extensible format for the packaging and distribution of software to
be run in virtual machines
|
URI for the
normative text of the specification
|
|
The name of the
SDO that generated/authored/hosted the specification
|
Distributed Management Task Force (DMTF)
|
Which of the
categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Known
implementations of the specification
|
VirtualBox, Red Hat Enterprise
Virtualization, VMware, IBM POWER server AIX, IBM SmartCloud, OpenNode Cloud
Platform, rPath, SUSE Studio
|
Name of the specification
|
OASIS Symptoms Automation Framework (SAF)
|
Category
|
Monitoring and Reporting
|
Purpose and function of the specification
|
Knowledge sharing across domains, allowing consumer and provider to work cooperatively together to ensure adequate capacity, maximize quality of service, and reduce cost.
|
URI for the normative text of the specification
| |
The name of the SDO that generated/ authored/ hosted the specification
|
Organisation for the Advancement of Structured Information Standards (OASIS)
|
Which of the categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Name of the specification
|
SNIA Cloud Data Management Interface (CDMI)
|
Category
|
Provisioning/configuration ::Data Portability
|
Purpose and function of the specification
|
Functional interface that applications will use to create, retrieve, update and delete data elements from the cloud
|
URI for the normative text of the specification
| |
The name of the SDO that generated/authored/hosted the specification
|
Storage Networking Industry Association International Organization for Standards(SNIA)
|
Which of the categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Name of the specification
|
CloudAuthZ
|
Category
|
Security::Authorization
|
Purpose and function of the specification
|
Managing authorizations and entitlements in SaaS, PaaS, and IaaS contexts
|
URI for the normative text of the specification
| |
The name of the SDO that generated/authored/hosted the specification
|
Organisation for the Advancement of Structured Information Standards (OASIS)
|
Which of the categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Name of the specification
|
OASIS Identity in the Cloud
|
Category
|
Security::Identity Managent
|
Purpose and
function of the specification
|
Identity management in cloud computing
|
URI for the
normative text of the specification
|
|
The name of the
SDO that generated/ authored/ hosted the specification
|
Organisation for the
Advancement of Structured Information Standards (OASIS)
|
Which of the
categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Name of the specification
|
Trusted Multi-tenant
Infrastructure
|
Category
|
Security:: Confidentiality & Integrity
|
Purpose and
function of the specification
|
Implementation patterns for cloud providers and consumers to implement
a trusted computing base using shared multi-tenant infrastructure
|
URI for the
normative text of the specification
|
|
The name of the
SDO that generated/authored/hosted the specification
|
TrustedComputingGroup
|
Which of the
categories of Cloud services does the standard address?
|
SaaS, PaaS, and IaaS
|
Thursday, 9 January 2014
Modeling Cloud Architecture with TOGAF
Cloud computing has emerged as one of the most significant game changers to hit the technology landscape in the recent years.However, the explosion of cloud computing has been a bit of a catch 22 for many enterprises.They are often struggling to understand the benefits of cloud computing as it appears totally disruptive to their current approach to IT operations.
Enterprise Architects will have a crucial role in cloud adoption strategies for enterprises. Enterprise Architecture deals with the whole enterprise and not only on the IT part, but also it involves the business side. Subsequently EA is for business and IT alignment. Now as Cloud is being presented as the most versatile technology in the IT field, there is greater need among enterprise architects to quickly understand transformations being brought in by the Cloud principles and to do the required twist and tweak on the EA. Increasingly enterprise architects are tasked to tune their EA to be Cloud-ready.
As most enterprise architects are familiar with TOGAF it is a good starting point to model your cloud architecture roadmap. The TOGAF ADM can help immeasurably in arriving at a viable Cloud strategy that leads to closer business – IT alignment.
As next-generation services and applications have to be analyzed, architected, and constructed for the cloud landscape from the ground up, the top down approach would be most logical approach.We discuss here the specific steps which need to be adapted in TOGAF for building cloud architectures
Preliminary Phase: -
Identify and Establish Architecture PrinciplesThe architecture principles are an important anchor when establishing the architecture governance. Some Cloud specific architecture principles could be
- Small stateless services
- Use Scalable Ingredients
- Use Resource Pooling
- Support Multi-Tenancy
While TOGAF ADM is one of the very good approach to architect and design Cloud Applications from top down perspective,but the architectural views defined in this framework need to be twisted and tweaked in order to simplify and streamline cloud enablement. Cloud specific terminologies like 'Virtualization' 'SAAS' 'PAAS' 'IAAS' needs to incorporated as a part of terminology tailoring.
Architecture Vision: -
The high-level description produced in Phase A will reflect the cloud based nature of the architecture that is envisaged.
Stakeholders, Concerns, and Business Requirements
There are some concerns that are specific to Cloud in terms of data security , privacy , and transparency which needs to be identified.Assess Readiness for Business Transformation
Quantify the enterprise’s readiness to undergo changes due to cloud model.Extend Business Transformation Readiness Assessment of TOGAF to include cloud specific assessments.
- Is the business prepared to account for IT or applications to be metered out as a service?
- How will processes for change and release fare when allowing certain user groups to self-provision resources?
- How will compliance controls perform in a highly automated virtual world of shared resources?
- What business use cases might benefit most from implementing an internal cloud?
- Is your IT Operations ready to adopt IT Service Management?
Business
Architecture
While the overall business goals of a cloud enabled application will not change, the Business users themselves will be variable in a multi tenant scenario and hence this view may needs to be adjusted for different groups that the Cloud service will cater . Especially the questions like Who Does It, What Do They Do will change for Cloud Applications when compared to traditional enterprise applications.Business applications are typically delivered from enterprise server machines. Now with the emergence of powerful and affordable cloud servers, business services and applications are to be deployed and delivered from the new environment. The business architecture has to take care of security, privacy, and other quality attributes of cloud-based applications. Governance, visibility, and controllability are other important factors to be given a serious thought. There has to be a kind of synchronization between enterprise resources and cloud-based applications.
Data Architecture
The core Entity Relationship modeling of a cloud application may match that of its traditional enterprise application counterpart , however multi tenancy aspect will introduce new variations to the Logical Data Model. Data Security View will be totally different from a traditional enterprise application.Application Architecture
Applications to be cloud ready have to undergo some critical changes. The PaaS Platform will abstract several traditional components that are part of the Application Architecture View and hence this view will be different from a traditional enterprise application. This includes custom-built shelf software to be converted into SaaS.Technology Architecture
Due to the tenants of cloud application like virtualized server environment ,PaaS platform ,On-demand instances and other virtual storage considerations, this view will be the one that will go through maximum changes for a cloud application when compared to a normal application.We see that bringing cloud capabilities to an enterprise is about more than just the latest technology; it is about changing the traditional business and collaboration model with partners, customers, and providers of services to the enterprise.
Subscribe to:
Posts (Atom)