Monday, November 30, 2009

Microsoft's Cloud Migration Patent Application

Today in InformationWeek, Alexander Wolfe speculates about Microsoft's patent application regarding data migration between cloud services. Although on the face of it, a patent for Cloud migration would appear to be aimed at removing the lock-in associated with a single vendor, the patent application is in fact aimed within a single vendor system. So, it doesn't address the Cloud lock-in problem which has been identified by ENISA as the #1 risk of cloud computing. Lock-in to a single vendor can be addressed using a Cloud Service Broker solution which mitigates against the use of a single Cloud service by brokering the connection up to the Cloud service, allowing a switch-over at the interface level to a back-up Cloud service in the event of service failure.

Sunday, November 29, 2009

How clouds are made

How are Clouds made? By leasing an anonymous-looking building, buying commodity servers by the mile, then engaging an infrastructure guy like Randy Bias to put it together? No - I meant real clouds.

So on the day after Thanksgiving, I brought my son to the Liberty Science Center in Liberty City, New Jersey, just across the Hudson from Manhattan. It's a great place - we agreed afterwards that it's right up there with San Francisco's Exploratorium. Boston Museum of Science membership got us in for free.

One of the features of the Liberty Science Center is its open spaces. It just doesn't feel as crowded as other museums. And, in the open spaces, they run Live Science events. One of the live science events, called "Sub Zero", focuses on the different states of matter. The instructors explained how matter can exist in a number of different states (including "Pennsylvania", as one kid answered :-) ).

At the finale, we saw how a cloud can be created by pouring water onto liquid nitrogen:

Hope everyone had a good Thanksgiving weekend, whether or not it was a holiday weekend in your part of the world.

Tuesday, November 24, 2009

Using Token Translation and SAML to link domains together

[ Update: Axway acquired Vordel in 2012 and the new name for the Vordel Gateway is the Axway API Gateway ]

Token translation using SAML is now quite an established way to allow applications in one security domain to communicate with applications in another security domain, on behalf of a user whole identity does not have to also flow with the data. For more info go to Vordel's government page and then click on "Secure Cross-Domain".

Can a similar architecture be used for SOA-to-Cloud and "inter-cloud" scenarios? The answer is "yes - watch this space...."

Monday, November 23, 2009

Command-Line tool for testing Web Services

The free SOAPbox tool includes a command-line interface, called SR ("Send Request") which allows you to script the load-testing of a Web Service. You can use SR to send multiple requests to a Web Service, to simulate multiple clients, to connect through a HTTP Proxy, to send SOAP attachments to Web Services, and to vary XML message traffic. To learn about SOAPbox, press F1 on SOAPbox's install page and then check out the SR examples, or run SR -h from the command line.

Get SOAPbox (including SR) from

Friday, November 20, 2009

ENISA Cloud Computing Risk Assessment - Three initial thoughts

The ENISA (European Network and Information Security Agency) today released the Cloud Computing Risk Assessment document.

The document does well by including a focus on SME's (Small and Medium sized Enterprises) because, as the report says, "Given the reduced cost and flexibility it brings, a migration to cloud computing is compelling for many SMEs".

Three initial standout items for me are:

1. The document's stated Risk Number One is Lock-In. "This makes it extremely difficult for a customer to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment. Furthermore, cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data."

Remember that the document identified SMEs as a major market for cloud computing. What can they do about the lock-in? Let's see what the document says:

The document identifies SaaS lock-in:
Customer data is typically stored in a custom database schema designed by the SaaS provider. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. However, if the provider does not offer a readymade data ‘export’ routine, the customer will need to develop a program to extract their data and write it to file ready for import to another provider. It should be noted that there are few formal agreements on the structure of business records (e.g., a customer record at one SaaS provider may have different fields than at another provider), although there are common underlying file formats for the export and import of data, e.g., XML. The new provider can normally help with this work at a negotiated cost. However, if the data is to be brought back in-house, the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. As customers will evaluate this aspect before making important migration decisions, it is in the long-term business interest of CPs to make data portability as easy, complete and cost-effective as possible.

And what about PaaS Lock-In?:
PaaS lock-in occurs at both the API layer (ie, platform specific API calls) and at the component level. For example, the PaaS provider may offer a highly efficient back-end data store. Not only must the customer develop code using the custom APIs offered by the provider, but they must also code data access routines in a way that is compatible with the back-end data store. This code will not necessarily be portable across PaaS providers, even if a seemingly compatible API is offered, as the data access model may be different (e.g., relational v hashing).
In each case, the ENISA document says that the customer must develop code to get around the lock-in, in order to bridge APIs and to bridge data formats. However, SME's generally do not have developers on staff to write this code. "Writing code" is not usually an option for an SME. I know - I worked for an EDI service provider who serviced SMEs in Europe - we would provide the code development services for the SMEs when they needed data transformation done at the client side.

But there is another answer. This bridging is the job of a Cloud Service Broker. The Cloud Service Broker addresses the cloud lock-in problem head-on by bridging APIs and bridging data formats (which, as the ENISA document mentions, are often XML). It is unreasonable to expect an SME to write custom code to bridge together cloud APIs when an off-the-shelf Cloud Service Broker can do the job for them with no coding involved, while providing value-added services such as monitoring the cloud provider's availability, encrypting data before it goes up to the cloud provider, and scanning data for privacy leaks. Read the Cloud Service Broker White Paper here.

2. "Customers should not be tempted to use custom implementations of authentication, authorisation and accounting (AAA) as these can become weak if not properly implemented."

Yes! Totally agree. There is already a tendency to look at Amazon's HMAC-signature-over-QueryString authentication scheme and implement a similar scheme which is similar but not exactly like it. For example, an organization may decide "Let's do like Amazon do and make sure all incoming REST requests to our PaaS service are signed by a trusted client using HMAC authentication", but omit to include any timestamp in the signed data. I can certainly imagine this, because this would happen all the time in the SOA / Web Services world (an organization would decide "Let's make sure requests are signed using XML Signature by trusted clients", but leave the system open to a simple capture-replay attack). Cloud PaaS providers should not make these same mistakes.

Lastly, the document's approach of examining the system in terms of data-at-rest and data-in-motion, identifying risks at each point (such as information disclosure, eavesdropping, or Denial-of-Service), then applying a probability and impact to the risks, is very reminiscent of the "STRIDE and DREAD" model. However I do not see the STRIDE and DREAD model mentioned anywhere in the document. I know it's a bit long in the tooth now, and finessed a bit since the initial book, but it's still a good approach. It would have been worth mentioning here, since it's clearly an inspiration.

XML Performance Offload

The area of XML Performance Offload bridges not only applications in a SOA architecture, but also the use of Cloud-based PaaS services which often are invoked using XML (e.g.'s WSDL interface) or are invoked using REST-style interfaces which return XML.

Vordel's XML Performance Offload paper is here:

Wednesday, November 18, 2009

Cloud Computing is ...

Techcrunch reports that Google has some implicit suggestions about newspapers, based on the drop-down suggestions it gives when you begin a search with "Newspapers are" . It's a nice example of the hive mind at work.

But check out the first suggestion Google gives you if you type "Cloud Computing is" into a Google search bar. I won't spoil the surprise here.

Interestingly, Google used to give similar suggestions for "SOA is", but the results are now a lot less frank and confrontational than they were a month ago. Does this show a change in general attitude about SOA, or is it just that Google cleaned up the results? hmm.

Tuesday, November 17, 2009

XML Bus Feeds and Visualizations

You've heard of XML feeds being consumed into a Service Bus - now here's a consumable Bus Service XML feed. The Boston-area MBTA provides a real-time Web Service feed. For example, this request returns an XML document containing details of current locations of the 39 bus which runs from Jamaica Plain to Boston's Back Bay:

As befits a transport organization in a catchment area which includes MIT, the MBTA has a pretty impressive developers site. And, for anybody keeping score, Boston got there ahead of New York (whose MTA now also provides data feeds).

The MBTA data also has generated some impressive visualizations - check out A Day in the Life of the MBTA.

Monday, November 16, 2009

Maureen O'Gara at Cloud Computing Journal on the Vordel Cloud Service Broker

Maureen O'Gara presents a sneak peak of the Vordel Cloud Service Broker private beta over at Cloud Computing Journal

Contact Vordel at if you'd like an invitation to the beta....

Thursday, November 12, 2009

MWD: Application and platform security top the list of Cloud development management concerns

The analysts MWD have recently issued the results of their Cloud take-up survey

Headlines are:
  • 54% of respondents highlighted that their organisations are already investing in Cloud Computing, or are planning to planning to invest at some point in the coming year.
  • 61% of those with current investments are investing to support IT development and testing work.
  • Application and platform security top the list of development management concerns
  • Despite market immaturity, 22% of those with current investments already report receiving ROI.
  • Proven ability to scale and support for standards are top supplier selection concerns.
More details at:

Wednesday, November 11, 2009

Government Computing News: Vordel brokers cloud services

This Government Computing News article, written by Trudy Walsh, covers Vordel's Cloud Service Broker launch:

Tuesday, November 10, 2009

Vordel Cloud Service Broker White Paper now available

If you want to read more detail beyond the Vordel Cloud Service Broker announcement, then this White Paper is the place to start. It is available at the URL below:

Monday, November 9, 2009

Jeff Burt from eWeek covers the Vordel Cloud Service Broker announcement

Jeff Burt has posted an article on eWeek covering the Vordel Cloud Service Broker announcement last week at the vordelworld conference:
The tool—which can be bought in an appliance, as software or as a virtualized service in the cloud—essentially is an “on-ramp to the cloud,” [Vordel CEO Vic Morris] said.

The product, which will be available in the first quarter 2010, registers services from all domains into a single repository, enabling businesses to more easily monitor and manage them, and apply policies to them.

The Vordel Service Broker not only offers the Multi-Domain Registry Repository, but also analytics capabilities that gives businesses an audit trail on the cloud services they use. In addition, the product includes content analysis capabilities to guard against data loss, caching to reduce cloud costs by servicing some requests itself, traffic throttling, event alerts and SLA monitoring.

Developers also will be able to use the Cloud Service Broker to link local applications with cloud-hosted apps.

Thursday, November 5, 2009

News @ VordelWorld

A full schedule today at VordelWorld with talks by Amazon, CA, Oracle, and others - not to mention Vordel product training. Here is a quick selection of Twitter and Reuters coverage:

A sample of VordelWorld-related tweets:

@Beaker :


Vordel Announces Cloud Service Broker to Bring Trust and Reliability to Cloud Computing

Vordel Appoints Spike Reply as Partner to Further Strengthen Position in Italian SOA Security Market:

Wednesday, November 4, 2009

VordelWorld kicks off this evening

Vordel's annual user conference, VordelWorld, kicks off this evening with registration followed by a Drinks Reception in the Radisson Blu on Golden Lane in Dublin's city center. Main sessions, including talks by Amazon, Burton Group, Oracle, CA, Cross Country Auto, and the mobile telco 3 are tomorrow.

Tuesday, November 3, 2009

French Language Vordel product training at VordelWorld

As well as our English Language Vordel product training this week at VordelWorld, we are also providing the same training in French. Check out our French language Vordel product training here:

Monday, November 2, 2009

How an STS addresses a "Costanza wallet" of security tokens

Maybe you've seen the episode of Seinfeld where George's wallet grows to such a size, with cards and receipts, that he has to offset its weight by stuffing his other pocket with napkins. Then, when he opens the wallet, it explodes.

Gunnar Peterson uses the reference for the multiple security tokens which are associated with users. For example, a user may log into their Windows PC (a Kerberos Token), authenticate with SiteMinder (an smsession token), then uses an application which requires a user attribute (SAML Attribute Assertion). Without a Security Token Service (STS) to mediate between all those tokens, you end up with a Costanza Wallet problem, exploding in your face.

I've used a video to describe a Security Token Service before, but I didn't think of using George Costanza's wallet to convey the problems of too many tokens. This is a reference I'll be using from now on (thanks Gunnar!).