Friday, July 17, 2009

Cloud governance: something old, something new, something borrowed …

By Ron Schmelzer

This guest post comes courtesy of ZapThink. Ron Schmelzer is a senior analyst at ZapThink. You can reach him here.

As we predicted earlier in the year, cloud computing is starting to take hold, especially if you believe the marketing literature of vendors and consulting firms. Yet, we are seeing an increasing number of Cloud success stories, ranging from simplistic consumption of utility Services and offloading of compute resources to the sort of application and process clouds we discussed in a previous ZapFlash. Perhaps the reason why usage of the Cloud is still nascent in the enterprise is because of an increasing chorus of concerns being voiced about the usage of Cloud resources:

Cloud availability. Cloud security. Erosion of data integrity. Data replication and consistency issues. Potential loss of privacy. Lack of auditing and logging visibility. Potential for regulatory violations. Application sprawl & dependencies. Inappropriate usage of Services. Difficulty in managing intra-Cloud, inter-Cloud, and Cloud and non-Cloud interactions and resources. And that’s just the short list.

Do any of these issues sound familiar? To address these concerns, we have to return to a topic we’ve hashed over and again on the SOA side of things: governance. The above issues are primarily, if not exclusively, governance concerns. Thankfully, in many ways, we can apply what we’ve already learned, implemented, and invested in SOA Governance directly to issues of Cloud Governance. However, SOA and Cloud, while complementary, are not equivalent concepts. There are a wide range of patterns and usage considerations that are either new to the SOA Governance picture or ones that we were able to gloss over. To make Cloud computing a success, we need to make Cloud governance a success. So, what can we apply from our existing SOA governance knowledge, and what new things do companies need to consider?

Design-Time Cloud Governance


Designing Services to be deployed in the Cloud is much like designing Services for your own SOA infrastructure. In fact, that’s the point – most Cloud infrastructure providers, whether they are third-party Cloud providers like Amazon.com, or self-hosting Cloud infrastructure vendors, pitch the simplicity of Cloud Service development and deployment. However, within this simple mode lurks an insidious beast: if you thought it was hard to get your developers on the same page with regards to Service development when you owned your own SOA infrastructure and registry, try it when you have little visibility into the Service assets built by unknown developers. Like the early days of Web Services-centric SOA development, companies faced developers hacking out a wide array of incompatible “Just a Bunch of Web Services (JBOWS)” style Services thrown willy-nilly on the network, now to face the same issue in the Cloud. Of course, JBOWS doesn’t a SOA make, and neither does it a Cloud make.

Furthermore, with the simplicity of Cloud Service development, deployment, and consumption, developers can use Cloud capabilities undetected by IT management. It’s not unusual for a developer to dabble with an Amazon Machine Image (AMI) for a project.

Don’t want your sales and marketing folks using Cloud services? Good luck trying to prevent that. I wish you even more luck trying to get visibility into what they are doing.


Simply use a personal Amazon account and credit card and off you go! And to make matters worse, not everyone creating or consuming Cloud Services will even be from within the IT department. In a previous ZapFlash, I admonished IT to become more responsive to the business lest they become disintermediated. Don’t want your sales and marketing folks using Cloud services? Good luck trying to prevent that. I wish you even more luck trying to get visibility into what they are doing. Without adequate design-time Cloud governance, you’re up a croc-infested river without a paddle.

Making matters worse, SOA governance tools are often missing in the Cloud Computing environment. There’s no central point for a Cloud consumer/developer to view the Services and associated policies. Furthermore, design-time policies are easily enforceable when you have control over the development and QA process, but those are notoriously lacking in the Cloud environment. The result is that design-time policies are not consistently enforced on client side, if at all. Clearly, SOA governance vendors and best practices need to step up to the plate here and apply what we already know about SOA registries/repositories and governance processes to give the control that’s needed to avoid chaos and failure. This means that IT needs to provide the enterprise a unified, Service-centric view of IT environment across the corporate data center and the Cloud.

Run-Time Cloud Governance

Making matters worse are a collection of run-time and policy issues that are complicated by the fog of Cloud computing infrastructure. Data reside on systems you don’t control, which may be in other countries or legal jurisdictions. Furthermore, systems are unlikely to have the same security standards as you have internally. This means that your security policies need to be that much more granular. You can’t count on using perimeter-based approaches to secure your data or Service access. Every message needs to be scrutinized and you need to separate Service and data policy definition from enforcement. The Cloud doesn’t simplify security issues – it complicates and exacerbates them. However, there’s nothing new here. Solid SOA security approaches, such as those we espouse in our LZA Boot Camps have always pushed the “trust no one” approach, and the Cloud is simply another infrastructure for enforcing these already stringent security policies.

In addition, Cloud reliability is pretty much out of your hands. What happens if the Cloud Service is not available? What happens if the whole Cloud is unavailable? Now you don’t only need to think about Service failure, but whole Cloud failover. Will you have an internal SOA infrastructure ready to handle requests if the Cloud is unavailable? If you do, doesn’t that entirely kill the economic benefit of Cloud in the first place? An effective Cloud governance approach must provide the means to control, monitor, and adapt Services, both with on-premises and Cloud-based implementations, and needs to provide consistency across internal SOA & cloud SOA. You should not keep your business (or IT) Service consumers guessing as to whether a Service they are consuming is inside the network or in the Cloud. The whole point of loose coupling and the Cloud is location independence. To make this concept a reality, you need management and governance that spans SOA infrastructure boundaries.

Yet, there’s more to the runtime Cloud governance picture than management and policy enforcement. Data and compliance issues can be the most perplexing. Most third-party Cloud providers provide little, if any, means to do the sort of auditing and logging that’s demanded from most compliance and regulatory requirements, let alone your internal auditing needs. Companies need to intentionally compose all Cloud Services with internal

One way to solve this problem is through the use of network intermediaries and gateways that keep a close eye on traffic between the corporate network and the Cloud.

auditing and logging Services deployed on the Cloud (or preferably) local network, negotiate better access to logging data from the Cloud provider, and implement policies for Cloud Service use to control leakage of private information to the Cloud. Furthermore, companies need to implement usage policies to control the excessive, and potentially expensive, use of Cloud Services in unauthorized ways.

One way to solve this problem is through the use of network intermediaries and gateways that keep a close eye on traffic between the corporate network and the Cloud. Intermediaries can scan cloud-bound data for leakage of private or company-sensitive data, filter traffic sent up to cloud platforms, apply access policies to Cloud Services, provide visibility into authorized and unauthorized usage of Cloud Services, and prevent unsanctioned use of Cloud Services by internal staff, among other benefits. Of course, these benefits do not extend to intra-Cloud Service consumption, but can provide a lowest common denominator of runtime governance required by the organization.

Change Management and Cloud Governance

Finally, the last major Cloud governance issue is one of change management. How do you prevent versioning of Cloud Services or even Cloud infrastructure from having significant repercussions? Proper Cloud governance techniques need to lift a page from the SOA governance book and deal with versioning at all levels: Service implementation, contract, process, infrastructure, policy, data, and schema. If you can deal with these inside the network and in the Cloud, you’re golden. If you have any gaps, you’re just itching for trouble.

But the biggest bugaboo here is testing. There simply aren’t many good approaches for testing a Cloud-implemented Service other than to do it in the live, Cloud “production” environment. Indeed, we usually get rotten tomatoes thrown at us when we teach in our LZA boot camps that it is increasingly ineffective to test SOA implementations in a QA environment as the SOA implementation becomes more mature, but now we just get blank stares when we ask if there’s such thing as a Cloud “QA” environment. Of course not. The same approach applies to SOA testing as Cloud testing: test your Services in a live environment by making sure that failures are self-contained and that automated fall-back mechanisms exist. If it can work in your own SOA environment, it can work in the Cloud… and vice-versa.

The ZapThink Take

SOA is an architectural approach and philosophy guiding the development and management of applications. Cloud is a deployment and operational model suited to host certain types of Services within an existing SOA initiative. The Cloud concept within the SOA context is one of Service infrastructure, implementation, composition, and consumption. The SOA concept within the Cloud context is one of application-level abstraction of Cloud resources. Therefore, think of Cloud Governance as evolved SOA governance.

Companies with a proper SOA governance hat on should have few problems as they move to increasingly utilize Cloud services, but those who have failed to take either an architectural perspective on Cloud or have glossed over SOA governance issues will be forced to quickly get a SOA perspective to get things right. In order for these both to work together, companies need to have a consistent SOA and Cloud Governance strategy. To address these issues, ZapThink recently launched our SOA and Cloud Governance training & certification workshops. By addressing each of the issues and potential solutions discussed above, we plan to dive deeper than anyone else has into this topic. We hope to see you there and continue the conversation and movement to SOA and Cloud success!

This guest post comes courtesy of ZapThink. Ron Schmelzer, a senior analyst at ZapThink, can be reached here.


SPECIAL PARTNER OFFER

SOA and EA Training, Certification,
and Networking Events

In need of vendor-neutral, architect-level SOA and EA training? ZapThink's Licensed ZapThink Architect (LZA) SOA Boot Camps provide four days of intense, hands-on architect-level SOA training and certification.

Advanced SOA architects might want to enroll in ZapThink's SOA Governance and Security training and certification courses. Or, are you just looking to network with your peers, interact with experts and pundits, and schmooze on SOA after hours? Join us at an upcoming ZapForum event. Find out more and register for these events at http://www.zapthink.com/eventreg.html.

The cloud gets up close and personal

Can you fit a cloud on your laptop?

Probably not.

But you can mock up basic cloud services, such as those for a shopping cart application, on your PC so you can see how the Web app you are working on will interact when it eventually reaches out and touches the real cloud, says says Chris Kraus, product manager for iTKO, the testing software vendor, which offers tooling for recording or mocking cloud services.

He sees growing interest among customers for the personal cloud concept, allowing developers to code and test Web applications that will eventually interact with services in the cloud. Cloud services on a PC provide two major advantages for developers during coding and testing, he says. [Disclosure: iTKO is a sponsor of BriefingsDirect podcasts].

First, the developer working on a cloud application is free to work anywhere, anytime regardless of whether the real cloud services are available or accessible. If a cloud service for a shopping cart is down for some reason, developers are not impacted since their version of the service is on their laptop. They can also code when they are on a plane, or in another environment with no access to the cloud.

Second, although this is probably first in the minds of budget conscious IT managers, the developer is not running up charges for accessing the cloud services, Kraus says.

“If the services are hosted on a cloud from a third party and I have to maintain physical

What developers could use is a Personal Cloud that would allow them to configure their local environment in multiple ways and take it with them wherever they go

connectivity, I have to pay to do that,” he said. “If I have a personal cloud on my desktop, I can take development offline, interact with those services, make sure my HTML is tight, and do all the stuff that is important to me. Then I point it to the real cloud and actually get the development up.”

Mike Gualtieri, senior analyst at Forrester Research, also sees value in the personal cloud concept.

In a recent post on his blog, Developers Need A Personal Cloud, the analyst also sees the value, in terms of portability.

“What developers could use is a Personal Cloud that would allow them to configure their local environment in multiple ways and take it with them wherever they go,” he writes. “I know this sounds like virtualization and it is to some extent, but extend PC virtualization with cloud concepts and you get the Personal Cloud.”

One commenter on Gualtieri’s blog suggests this concept might be dubbed "local virtualization."

I had an intriguing chat with HP's Jeff Meyers and iTKO chief scientist and co-founder John Michelsen last month at HP's Software Universe conference. The confluence of SaaS and cloud with application development and the test phase is changing rapidly, we observed.

Compressing the test phase into the development and production becomes more feasible. And as virtualization becomes more common, building an application or service in its own runtime stack bubble from inception to sunset starts to make sense. OSGi fits into the vision nicely.

And while we're combining all the elements of an application and platform from cradle to grave, why not tune the whole package before, during and after development too ... then load the entire package as a portable cloud-supported production unit?

Now, that's a "personal" cloud (I prefer cloud service nodule), but with high service performance output, and far less time in cost in the total lifecycle. Higher overall quality too. What do you think?

BriefingsDirect contributor Rich Seeley provided research and editorial assistance on this post. He can be reached at RichSeeley@aol.com.

Wednesday, July 15, 2009

Panda's SaaS-based PC security manages client risks, adds efficiency for SMBs and providers

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com.

Download the transcript. Learn more. Sponsor: Panda Security.

PC security has proven a thorny and expensive problem for users, small businesses, enterprises and managed services providers alike for many years.

But PC security can be increasingly enhanced -- with a cloud-enhanced trouble discovery-and-remediation lifecycle approach -- and delivered as services. This reduces the strain on the PC itself, as well as improves the ability to staunch malware problems quickly before they spread.

As a result, new offerings around cloud-based anti-virus and security protection services are on the rise.

Furthermore, Internet-delivered security -- from the low-touch client agent to the fuller managed services -- provides a strong business opportunity for resellers and channel providers. A fuller such solution then allows small and larger businesses to protect all of their PCs, regardless of location, at decreasing -- rather than increasing -- total costs.

To help delve more deeply into the benefits of security as a service, and explore the cloud strengths of managing malware protection more centrally from the Web, I recently moderated a discussion with independent IT analyst Phil Wainewright, director of Procullux Ventures and a ZDNet SaaS blogger, as well as Josu Franco, director of the Business Customer Unit at Panda Security.

Here are some excerpts:
Franco: There are two basic problems that we're trying to solve here, problems which have increased lately. One is the level of cyber crime. There are lots and lots of new attacks coming out every day. We're seeing more and more malware come into our labs. On any given day, we're seeing approximately 30,000 new malware samples that we didn't know about the day before. That's one of the problems.

The second problem that we're trying to solve for companies is the complexity of managing the security. You have vectors for attack -- in other words, ways in which a system can be infected. If you combine that with the usage of more and more devices in the networks, that combination makes it very difficult for administrators to really be on top of the security.

In order to address the first problem ... we need to take an approach that is sustainable over time. ... We found the best approach is to move processing power into the cloud, ... to process more and more malware automatically in our labs. That's the part of cloud computing that we're doing.

In order to address the second problem, we believe that the best approach for most companies is via management solutions that are easier to administer, more convenient, and less costly for the administrators and for the companies.

We don't see the agents disappearing any time soon to protect the [PC] endpoints. [But by] rebuilding the endpoint agent from scratch, ... we get a much lighter agent, much faster than previous agents. And, very importantly, an agent that is able to leverage the cloud computing capacity that we have, which we call "Collective Intelligence," to process malware automatically.

We've just released this very first version of the Cloud Antivirus agent. We're distributing it for free with the idea that first we want people to know about it. We want people to use it, but very importantly, the more people that are using it, the better protected they're all going to be.

Special offer: Download the free protection.

Once you've downloaded this agent, which works transparently for the end user, all the management takes place via SaaS. ... We believe that the more intelligence that we can pack into the agent, the better, but always respecting the needs of consumers -- that is to be very fast, to be very light, to be very transparent to them.

[Next we provide] ... a management console [Panda Managed Office Protection] that's hosted from our infrastructure, in which any admin, regardless of where they are, can manage any number of computers, regardless of where they are located.

This works by having every agent talk to this infrastructure via Internet, and to talk to other agents, which might be installed in the same network, distributing updates or distributing other types of polices.

Wainewright: To be honest, I've never really understood why people wanted to tackle Web-based malware in an on-premise model, because it just doesn't make any sense at all. The attacks are coming from the Web. The intelligence about the attacks obviously needs to be centralized in the Web. It needs to be gathering information about what's happening to clients and to instances all around the Web, and across the globe these days.

Really making sure that the protection is up-to-date with the latest intelligence and is able to react quickly to new threats as they appear means that you've go to have that managed in the center, and the central management has got to be able to update the PCs and other devices around the edge, as soon as they've got new information.

... The malware providers are already using network scale to great effect, particularly in the use of these zombie elements of malware that effectively lurk on devices around the Web, and are called into action to coordinate attacks.

You've got these malware providers using the collective intelligence of the Web, and if the good guys don't use the same arsenal, then they're just going to be left behind.

... More and more, in large enterprises, but also in smaller businesses, we're seeing people turning to outside providers for expertise and remote management, because that's the most cost effective way to get at the most up-to-date and the most proficient knowledge and capabilities that are out there.

Franco: In the current economic times, more and more resellers are looking to add more value to what they are offering. For them, margins, if they're selling hardware or software licenses, are getting tougher to get and are being reduced. So, the way for them to really see the opportunity into this is thinking that they can now offer remote management services without having to invest any amount in what is infrastructure or in any other type of license that they may need.

It's really all based on the SaaS concept. [Managed service providers] can now say to the customers, "Okay, from now on, you'll forget about having to install all this management infrastructure in-house. I'm going to remotely manage all the endpoint security for you. I'm going to give you this service-level agreement (SLA), whereby I'm going to check the status of your network twice or three times a week or once a day, and if there is any problem, I can configure it remotely, or I can just spot where the problems are and I can fix them remotely."

This means that for the end user it's going to reduce the operating cost, and for the reseller it's going to increase the margins for the services they're offering. We believe that there is a clear alignment among the interests of end users and partners, and, most importantly, also from our side with the partners. We don't want to replace the channel here. What we want is to become the platform of choice for these resellers to provide these value-added services.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com.

Download the transcript. Learn more. Sponsor: Panda Security.

Tuesday, July 14, 2009

Rethinking virtualization: Why enterprises need a sustainable virtualization strategy over hodge-podge approaches

Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: Hewlett-Packard.

Read a full transcript of the discussion. Download a pdf of this transcript.

Attend a virtual web event from HP on July 28- July 30, "Technology You Need for Today's Economy." Register for the free event.

Enterprises today need a better way to prevent server sprawl and complexity that can impact the cost of virtualization projects. Three important considerations are instrumental for effective enterprise virtualization adoption, and they often amount to a rethinking of virtualization.

For example, one important question is, How do enterprises manage and control how network interconnections are impacted by widespread virtualization? Second, how can configuration management databases (CMDBs) help in deploying virtualized servers? And third, how can outsourcing help organizations get the most bang for their virtualization buck?

Rethinking virtualization becomes necessary to attain a sustainable enterprise virtualization strategy because virtual machines (VMs) present unique challenges.

To get to the bottom of the larger, pro-active means of virtualization planning, I recently interviewed three executives from HP: Michael Kendall, worldwide Virtual Connect marketing lead; Shay Mowlem, strategic marketing lead for HP Software and Solutions, Ryan Reed, a product manager for EDS Server Management Services.

Here are some excerpts:
Mowlem: Certainly, many companies today have recognized that consolidating their infrastructure through virtualization can reduce power consumption and space utilization, and can really maximize the value of the infrastructure that they’ve already purchased.

Just about everybody has jumped on the virtualization bandwagon, and many companies have seen tremendous gains in their development in lab environments, in managing what I would consider to be non-mission-critical production systems. But, as companies have tried to apply virtualization to their Tier 2 and Tier 1 mission-critical systems, they're discovering a whole new set of issues that, without effective management, really run counter to the cost benefits.

... For IT to realize the large-scale cost benefits of virtualization in their production environments they need to prove to the business that the service performance and the quality are not going to be lost. ... The ideal approach should include a central vantage point, from which to detect, isolate, and prevent service problems across all infrastructure elements, heterogeneous servers, spanning physical and virtual network storage, and all the subcomponents of a service.

We provide tools today that offer native discovery and dependency mapping of all infrastructure, physical and virtual, and then store that information in our central universal configuration management database (UCMDB), where we then track the make-up of a business service, all of the infrastructure that supports that service, the interdependencies that exists between the infrastructure elements, and then manage that and monitor that on an ongoing basis. ... Essentially a configuration database attracts all of the core interdependencies of infrastructure and their configuration settings over time

Kendall: When you consolidate a lot of different application instances that are normally on multiple servers, and each one of those servers has certain number of I/O for data and storage and you put them all on one server, that does consolidate the number of servers we have.

[It also] has the tendency to expand the number of network interface controllers (NICs) that you need, the number of connections you need, the number of cables you need, and the number of upstream switch ports that you need. ... Just because you can either set up a new virtual machine or want to migrate virtual machines in a matter of minutes, it isn’t as easy in the connection space. Either you have to add additional capacity for networks and for storage, add additional host bus adapters (HBAs), or add additional NICs.

We did some basic rethinking around how to remove some of these interconnect bottlenecks. HP Virtual Connect actually can virtualize the physical connections between the server, the data network, and the storage network. Virtualizing these connections allows IT managers to set up, move, replace, or upgrade blade servers and the workloads that are on them, without having to involve the network or storage folks or being able to impact the network or storage topologies.

Reed: Business services today demand higher levels of uptime and availability. Those data centers, if they were to fail due to a power outage or some other source of failure, are no longer able to provide the uptime requirements for those types of business services. So, it’s one of the first questions that a virtual infrastructure program raises to the program manager.

Does the company or the organization have the skill set necessary in-house to do large-scale virtualization in data center modernization projects? Often times, they don’t, and if they don’t, then what is their action? What is their remedy? How are they going to resolve that skill gap?

... [And there's] a hybrid model, which would be one where virtual infrastructures and non-virtual infrastructures can be managed from either client or organization-owned data center -- or the services provider data center. There are various models to consider. A lot of the questions that lead into how to plan for this type of virtual infrastructure also lead into a conversation about how an outsourcer can be the most value-add.

Outsourcers nowadays are very skilled at providing infrastructure services to virtual server environments. That would include things like profiling, analysis planning, mapping of targets to source servers, and creating a business value for understanding how it’s going to impact the business in terms of ROI and total cost of ownership.

Choose the right partner, and they can grow with you. As your business grows and as you expand your market presence, choosing the services provider that has the capability and capacity to deliver in the areas that you want to grow makes the most sense.

The traditional outsourcing model is one where enterprises realize that the data center itself is not a strategic asset to the business anymore. So they move the infrastructure to an outsourcer data center where the services provider, the outsourcing company, can provide the best services with virtual infrastructures during the design and plan phase. ... We’ve been doing this for 45 years, and it’s really the critical piece of what we do.
Listen to the podcast. Download the podcast. Find it on iTunes/iPod and Podcast.com. Learn more. Sponsor: Hewlett-Packard.

Read a full transcript of the discussion. Download a pdf of this transcript.

Attend a virtual web event from HP on July 28- July 30, "Technology You Need for Today's Economy." Register for the free event.

Software AG seeks IDS Scheer in webMethods aquisition follow-up act

This guest post comes courtesy of Tony Baer’s OnStrategies blog . Tony is a senior analyst at Ovum. His profile is here. You can reach him here.

Who says there are no second acts in life?

After having caught its breadth with the webMethods acquisition almost exactly two years ago, Software AG has struck again with an offer to buy roughly half the shares of IDS Scheer from the company’s founders. The offer, worth roughly $320 million, is still subject to regulatory review.

Both deals are similar in that they are major, but their impacts will be different. webMethods expanded the Software AG business horizontally, adding critical mass to a new SOA middleware business that it was only beginning to build. Additionally, webMethods was a less mature business with more headroom for growth.

By contrast, IDS Scheer simply deepens one of Software AG’s existing businesses: webMethods Business Process Management (BPM). It adds the ARIS process modeling language, which would provide yet another onramp for webMethods BPM customers. And IDS Scheer is a pretty mature business, with the brunt of its installed base being large SAP customers who have used the ARIS language to model their SAP applications. There obviously aren’t a lot of new SAP installations going in these days.

But in other ways, webMethods could give IDS Scheer the jolt that the ARIS business could use. While Software AG’s numbers continued to grow in spite of the recession, IDS Scheer’s business has flattened out with what little growth occurring attributable to maintenance streams.

For Software AG, IDS Scheer’s maintenance streams resemble those of its legacy ETS data management business, which has provided the company the annuity revenue

Just about the only thing that surprised us in this announcement was that SAP didn’t act first. Their customers only happen to form the majority of the ARIS base.

flow to fund its acquisitions. But that’s where the similarity ends. The webMethods BPM business, which is much earlier in its growth curve, represents a potential greenfield base for ARIS. Better yet for Software AG, it provides a foothold into the SAP customer base where the company has not been heavily present. And, although SAP is also a player in the middleware space with NetWeaver, it has not been terribly active with BPM.

More interestingly, it throws down a gauntlet to Oracle, which currently OEMs the ARIS language as one of the options for its Fusion BPM middleware stack. Although Oracle promotes Fusion’s “hot pluggable” best of breed strategy, probably the last place Oracle wants best of breed is in the BPM stack. With ARIS providing a direct onramp to webMethods BPM, and in turn the Software AG SOA stack, continuation of the OEM deal provides Software AG the opportunity for a wedge strategy.

As for IBM, making ARIS native to the webMethods BPM suite provides a line of defense against WebSphere incursion into the SAP installed base. Although hardly a show stopper, it provides Software AG yet another tool in its arsenal to compete with IBM WebSphere.

Just about the only thing that surprised us in this announcement was that SAP didn’t act first. Their customers only happen to form the majority of the ARIS base.

Postscript: Here’s hoping that maybe we’ll have a chance to hear Professor Scheer’s mean baritone sax at Software AG events.

This guest post comes courtesy of Tony Baer’s OnStrategies blog . Tony is a senior analyst at Ovum. His profile is here. You can reach him here.

Rackspace takes open source approach with release of Cloud Servers API

Positioning its cloud hosting services as an alternative to Amazon’s Elastic Compute Cloud (EC2), Rackspace announced today the public availability of Cloud Servers API based on representational state transfer (REST).

Taking an open-source approach, Rackspace’s 43,000 cloud-computing customers played a major role in the API specifications, explained Emil Sayegh general manager for The Rackspace Cloud, formerly branded as Mosso cloud hosting. They overwhelmingly preferred the newer lighter-weight REST approach to the older heavy-duty SOAP standard that Amazon uses, he said.

“With the number of companies that provided input into this API, the way I see it this is their design,” he told BriefingsDirect. “This API is based on their input.”

This open community approach is a major differentiator between Amazon and the Rackspace alternative.

It may very well also be a difference with Microsoft and its Windows Azure offerings, the initial pricing of which was also unveiled today. See Mary-Jo Foley's take.

The next step in Rackspace’s strategy is to open source the API, which according to Sayegh will be announced soon. He notes that Amazon has no announced plans to go to open source.

“What we’re seeing is customers are really clamoring for an alternative to Amazon,” Sayegh said, acknowledging that Amazon is the market leader while positioning Rackspace as the number two that is trying harder.

“We have the largest platform as a service (PaaS) in cloud sites,” Sayegh said. “We are definitely in terms of size second to Amazon.” He sees today’s release of the API strengthening the Rackspace Cloud position in the market.

I recently talked with Mosso co-founder Jonathan Bryce, and a group of analysts, on the subject of PaaS and its role in propelling cloud computing forward. Read a transcript.

Prior to today’s API release, customers used a Web-based control panel to manage their Rackspace cloud usage. This meant they had to manually scale up or down as their business demands fluctuated.

The API allows developers to programmatically interact with the Rackspace cloud

What we’re seeing is customers are really clamoring for an alternative to Amazon.

servers so scalability can be made automatic, Sayegh explained. The control panel option is still available but the API offers greater choice and flexibility.

“People are raving about how easy it is to use,” he said. As an example, he pointed to Michael Mayo, a developer working alone who was able to create an iPhone remote cloud server management app based on the new API in just three days. Sayegh said even he was surprised that a lone coder could use the API to build an application that quickly.

Rackspace Cloud currently offers three cloud hosting products:
  • Cloud Sites, which provides pools of servers for customer Websites.

  • Cloud Servers, which provides server capacity that can be scaled up and down as the customer requirements change.

  • Cloud Files, which provides “unlimited storage” for images, large files, and backups.
BriefingsDirect contributor Rich Seeley provided research and editorial assistance on this post. He can be reached at RichSeeley@aol.com.

Thursday, July 9, 2009

Paglo SaaS offering provides means to harness untamed collection of log and IT resources data

Paglo, the IT management software-as-a-service (SaaS) company, recently announced a new low-cost service that allows companies to tackle the Herculean task of trying to winnow out a rapidly growing mountain of log data.

With log data piling up in terabyte leaps and increasing regulatory pressure to maintain that data for several years, companies now find themselves in danger of being swamped with information about operational events and the daunting challenge of making sense of it. [Disclosure: Paglo is a sponsor of BriefingsDirect podcasts.]

Paglo, Menlo Park, Calif., has upgraded its SaaS log management application, Paglo Logs, for IT professionals to automatically capture and store their logs and instantly search and analyze them. The expanded service provides a powerful Google-like search capability to enable rapid discovery of key operational events, a platform for meeting compliance requirements, and a way to accelerate the investigation of security incidents.

I was impressed with Paglo when they first came out, and the additional services -- now extending to capture and search of expansive sets of IT assets and other metadata on their performance -- makes it a powerful tool for the cloud era.

How can you be responsible for performance on systems that cross company or provider boundaries? With SaaS offerings like Paglo, you can set up log gathering and search across all the systems that support a business process, regardless of their sourcing. Very cool.

As on-demand and with a "zero footprint" architecture, the Paglo Logs service collects rich systems data from all networked devices and requires no additional software or appliances to use. Paglo Logs allows users to:
  • Accelerate problem resolution by going directly from the logged events to the underlying infrastructure, to view health and performance data or to access a particular machine.

  • Meet the Payment Card Industry (PCI) Data Security Standard (DSS) by tracking all devices, software and configurations, monitoring wireless access, and securing central log collection.

  • Provide both developers and operations the ability to troubleshoot application issues and understand user behavior without logging into the production servers.

  • Improve their security profile and incident response by immediately receiving alerts and using saved searches and dashboards.
To maintain security, each business using Paglo has its own search index that keeps the log and network information separate and private from other subscribers. Setting up requires no appliances, on-site dedicated servers

As I said in the Paglo release on the news, "Companies need to harness and analyze the information explosion coming from all of their computer, server, network and log data. It's a very productive way to improve operating efficiencies, gain a clear understanding of true IT costs, and to meet compliance requirements. As an on-demand service, Paglo helps drop the complexity barriers to quick and effective log search and analytics."

The services come in three flavors, Paglo IT, a more complete offering; Paglo MSP, targeted at managed services providers, and Paglo Logs, for the full search and visualization services (and with a free introductory offer). The services are designed to appeal to security professionals, IT administrators, and developers of on-demand applications and services.

The new Log Management service is available immediately and accounts can be created directly online. A free trial is available at https://app.paglo.com/signup?product=logs. Paid plans start at an aggressive $99 per month.

Wednesday, July 8, 2009

Don’t use an ESB unless you absolutely, positively need one, Mule CTO warns

“To ESB or not to ESB,” that is the question Ross Mason, MuleSource CTO, raises in a his blog this week.

It would be heresy among marketers at many vendors, but the MuleSource CTO is actively discouraging architects and developers from using an enterprise service bus (ESB), including his company’s open-source version, unless they are sure they really need one.

Misuse of ESBs leads to overly complex architectures that can be more difficult to remedy than a straightforward Web services-based architecture that omits the ESB in early versions of an enterprise application, Mason argued in a phone conversation about his blog.

“There are two main mistakes I see most of the time,” he told BriefingsDirect. “There’s not enough of an integration requirement or there’s not enough use of the ESB features to warrant it.”

You don’t need an ESB if your project involves two applications, or if you are only using one type of protocol, he explains.

“If I’m only using HTTP or Web services, I’m not going to get a lot of value from an ESB as opposed to using a simpler Web services framework,” Mason said. “Web services frameworks are very good at handling HTTP and SOAP. By putting in an ESB, you’re adding an extra layer of complexity that’s not required for that job.”

Architects and developers using an ESB in these cases are probably engaging in "resume-driven development (RDD)." If anybody asks you if you’ve deployed an ESB in an application you’ve worked on you can say, yes. And then you can hope the hiring manager doesn’t ask if the application really required the technology.

Another mistake, Mason cites, is using an ESB and thinking that you are future-proofing an application that doesn’t need it now, but might someday.

“You’ll Never Need It (YNNI), that acronym has been around awhile for a reason,” Mason says. “That’s another killer problem. If you select an ESB because you think you might need it, you definitely don’t have an architecture that lays out how you’re going to use an ESB because you haven’t given it that much thought. That’s a red flag. You could be bringing in technology just for the sake of it.”

Adding his two-cents to the “Is service-oriented architecture (SOA) dead” debate, the MuleSource CTO says such over-architecting is one of the things that contributes to the problems being encountered by IT in SOA that has given the acronym a bad name. “Architecture is hard enough without adding unnecessary complexity,” he said. “You need to keep it as simple as possible.”

Ironically, adding an ESB because you might need it someday can lead to future problems that might be avoided if you left it out to begin with and then added it in later, Mason said.

“The price of architecting today and re-architecting later is going to be a lot less than architecting badly the first time,” he explained. “If you have a stable architecture, you can augment it later with an ESB, which is going to be easier than trying to plug in an ESB where it’s not going to be needed at that time.”

While the conversation focused on the pitfalls of using an ESB where you don’t need one, the MuleSource CTO naturally believes there are architectures where the ESB makes sense. To begin with, you need to be working on a project where you have three or more applications that need to talk to each other, he explained.

“If you’ve got three applications that have to talk to each other, you’ve actually got six integration points, one for each service, and then it goes up exponentially,” Mason said.

The ESB technology is also needed where the protocols go beyond HTTP. “You should consider an ESB when you start using Java Message Service (JMS), representational state transfer (REST), or any of the other protocols out there,” Mason said. “When communications start getting more complicated is when an ESB shows its true value.”

BriefingsDirect contributor Rich Seeley provided research and editorial assistance on this post. He can be reached at RichSeeley@aol.com.