Read the Community Blog

Cloud pattern finalised

Take a look at the cloud pattern here on the bulletin board

I think we have an OSA first here, so if you have not signed up for the bulletin board yet then please do so and leave us some comments to help improve the quality. We'll post to the patterns section on the main site in the next few days.

Update- pattern is now available in the library

Cloud Computing research

I've been spending time researching the Cloud Computing pattern in the last week or so and I must say I am learning a lot. I've been a big fan of Nick Carr since I saw him speak about 3 years ago, and have long appreciated the possible financial benefits for large organizations of a utility model for computing. However I have the same feeling about some of the distributed technologies that are starting to spring up as I had when I first encountered the Internet back in '93. In other words I think we are in for a really big paradigm shift with a lot of innovation (and I'm not talking about Social networking!). Of course I could just be getting carried away with the hype but I think not, and this is why:

- Lots of bandwidth and always on connections mean it's finally realistic to distribute computing tasks.

- There are a whole bunch of smart newcomers who treat the Internet as their platform (rather than an OS plus bits like MS)

- The technology stack has matured to the point where the basic foundations are already in place and mainly available as Free and Open Source Software (OS, browser, programming languages, dev environments, content management, dbms, web protocols) making it cheap and easy to start building neat things on top... i.e. you don't need a massive budget and 100's of man years of effort to put your ideas into practice.

- On the client side the technologies are at a point where you can deliver a pretty rich user experience within a browser environment.

While there is the potential for some real security benefits, they are uncertain right now, and the compliance implications could be massive especially for larger organizations who have to worry about these kinds of things more. For this reason I think there will be a much faster adoption curve amongst SME's and Consumers. A lot of the security pieces of the jigsaw are just not in place yet. I found that when I went through the controls catalog for the pattern I am building there were many cases where I could not assign controls, or places where it was obvious there would be need for another service provider to step in and address a basic need.

Because of these unfulfilled needs I suspect we will see a number of start-ups in this space, who essentially provide Security as a Service for complex webs of providers, and give organizations a way of managing the risks. It will not be enough to simply get a SAS-70 or equivalent certification and consider the job done in anything other than the most simple situations. Relatively simple tasks like Identity Management become very interesting when you have a large number of cloud services interacting to fulfill a business process. How do you broker identity amongst providers and ensure that access rights are managed effectively? This and many other areas have yet to be resolved.

More thoughts as the pattern develops.

New icons

Started a thread on BB for updated icon set for 09_02 release (you can find the current set under the menu library|icon library). I've built some new icons that you can view and comment on here. We've added some devices like USB memory stick, optical drive, and process options like awareness.

If you're using the icons let use know, and tell us what extras you'd like to see.

Metadata for images

I noticed from the site stats that a lot of our visitors are reaching us via Google Images, often for the SVG icon library that we have built from the Tango project base images. It's good to know that people are finding these useful, I certainly appreciate the combination of icons and Inkscape as a useful replacement for Visio!

However when I dug around on Google images myself I realised that the metadata on most of our images is pretty poor and this makes it hard to search and find unless you know exactly what you are looking for.

Therefore I have cleaned up the image descriptions (title and alt text tags), which should result in smoother searching. I'll go through the rest of the site in the coming weeks as well

For the 09_02 release we will probably look to update the icons library with some new images. Let us know via the forum if there are icons you want to see

SOA Security Risks

There are several technology trends that push the development and adoption of distributed systems. Probably most discussed are "Service Oriented Architecture (SOA)" and "Software as a Service (SaaS)".

SOA is often advertised as a great means to standardize business processes within a corporation. The business processes are herefore divided into (reusable) subprocesses which eventually are digitally implemented as "IT Services". The promoter of this method believe that SOA is good way to replace these (old legacy) monolithic IT systems.

One of the unique new characteristics of SOA (when compared to other distributed computing paradigms (such as RMI, CORBA, RPC…) is that SOA services can be dynamically located. The oponents of SOA however consider this dynamicity as the death of current best testing practices, because you basically abandon system integration testing, because the "integration", i.e. the calling context, is not known before deployment time.

Another point of criticism is that (due to limited resources and skills) most implementations do not have information on pre and post-conditions for service calls. As a consequence, if you really wanted reliability and security, every called service needs to make enough checks to induce the trust level that it needs in the current calling context. Of course this is not feasible due to restricted development resources and later due to restricted computing resources.

Compare this to your SAP system or old RACF protected mainframe system where the trust boundaries are at least clear and you can take appropriate actions because the trust assumptions are static.

The author believes that the dynamicity and the lack of notion of trust boundaries in the SOA concept will eventually reduce the security of SOA based systems (because most system developments take a short cut and abandon the tedious trust establishment).

Don't believe me? Ask your system architect where the trust boundaries are for the new SOA services that she is developing.

What is your take? Register and reply….