IDN Expert Voices: Policing the Cloud

Cloud computing is changing how enterprises look at end-to-end IT operations. As cloud adoption soars, CIOs want to “police the cloud” to ensure business-critical manageability and governance.  IDN 'Expert Voices' speaks with Cathy Lippert, Director of Oracle SOA Governance, to learn how SOA Governance is being tuned for Cloud Governance, including security, policy compliance and even SLAs.

Tags: Cloud Governance, SOA, Expert Voices, Oracle, Cathy Lippert,

Surge in Cloud Adoption for IT Operations
Triggers Search for Cloud Governance Options

Transcript below>

Interview time: Approx 15 minutes

Interview Transcript

Vance McCarthy:   Good morning, this is Vance McCartney, Program Director for Integration Developer News again, with another NR series of expert voices, talking about trends and business critical enterprise architecture. And today I'm very pleased to be joined by Cathy Lippert, Director of Project Management for SOA Governance at Oracle Corporation. Cathy, welcome to Expert Voices.
Cathy Lippert   Thanks, it's great to be here Vance.
Vance McCarthy:   You know, Cathy, this idea of SOA and governance, it's really a critical time I think for SOA now as people begin to look at not just SOA but Cloud, and IT folks and business executives love the idea of lowering costs and more agile software, but they're concerned about losing control, or having to give up management or governance. What is Oracle hearing from customers about this trade-off, or this issue?
Cathy Lippert   Well, you know, not long ago we contacted our Customer Advisory board for SOA Governance, and we survey them on just these kinds of issues, and we found some incredible interest around this loss of control, this potential loss of visibility and management, especially for using the Cloud in a B to B context, and among partners. In fact, over 80 percent of the advisory board members surveyed cited four particular areas of primary concern. And the first one was maintaining the integrity of transactions in the Cloud. The second one, pretty much related to that, was meeting service levels. The third was managing security across organizational boundaries. And finally, they were also concerned about controlling access and utilization of the Cloud resources and making sure that the use of the Cloud was in line with their policies. Of course, these are all classic SOA Governance concerns, even in on-premises situations where you're managing services or applications for us within the enterprise. But now they're really coming front and center in the context of Cloud because there's really no way to do without, and there's so much more exposure to risk.
Vance McCarthy:   These concerns suggest that CIOs wish they could have a Cloud that would guarantee the kinds of Five-Nines that they get right now from On Premise.
Cathy Lippert   Yeah, the Five-Nines are really perennial. That's a great way of putting it. In fact, one of the patterns that seems to be emerging with our customers and their use of the Cloud is what we call a hybrid IT infrastructure, and this is one that combines the best of Cloud software and services with On Premise' applications. Enterprises may still want to manage many of their enterprise applications On Premises, as they've always done, but maybe take advantage of a particular application on the Cloud, maybe a CRM, Cebol, and naturally the CIOs expectations around security, access, service level are pretty similar across it all, but it's all the more challenging in a public hosted environment because of the potential loss of direct control, the increase coordination across enterprise boundaries, and exposure to some additional risks.
Vance McCarthy:   So Cathy, to help the IT folks that are listening in to this panel, these distinctions between what's the same and what's different, let's drill down into that a bit. You mentioned, for example, this end-to-end integrity from On Premise, the Cloud, to even the partners on Premise system. Can you discuss how Oracle's vision of that transfers to meet Cloud's security concerns?
Cathy Lippert   Absolutely. From a Cloud service provider prospective, or even if you're running your own private Cloud, you need to provide some guarantees to clients that you can secure their use of services and manage service levels, and this means that you need to handle requests from the moment they hit your perimeter back through the middleware and down to the data access. In the case of shared services architecture, it's a bit like peeling an onion where you need to preserve security and the integrity of the transaction at every level, and with solutions like Oracle's, the security and integrity of that request and response can be preserved the entire route down to accessing the data. So here you see depicted the first line of defense, which is where we place a gateway, then the virtualization layer with security policy enforced on the service bus for example, and finally, the last mile, security policy enforced on the service endpoints themselves. We use these strategies in combination to get the level of security the CIO expects.
Vance McCarthy:   You know, this is a picture you're painting here that makes this sort of B to B traffic, even highly Five-Nine traffic across the Cloud a little less scary. This first line of defense that you talk about, give us a sense of the technology and methodology at work there.
Cathy Lippert   Happy to. Well, you first have the request from the internet hitting your perimeter at the edge of the so-called demilitarize zone, or DMZ, where your firewall is managing the traffic coming in. One of the things you first have to handle are the pernicious attacks by hackers and other parties who want to defeat your security, and we put the XML gateway there partly to protect you against the kinds of insidious threats like those listed here. XML ConTank, Cryptographic and communications related attacks
Vance McCarthy:   And going back to your premise, just to interrupt you for a second, this is where I can leverage the SOA and governance technologies and standards that I pretty much well know as an IT architect, is that correct?
Cathy Lippert   Yeah, absolutely, especially for SOA security. This is a pretty well known territory. It's not trivial, but we now know how to protect against all sorts of attempt to disrupt the business, and one of the approaches is content based analysis of the traffic coming in. Checking the XML, scanning messages and files for sensitive content, and other measures that often take a specialized process to preserve good performance. It's back to that CIO expectation. Let me secure myself around the Cloud, just like I do in-house, and do it, thank you, without a performance degradation.
Vance McCarthy:   ou know, I'm feeling a little less frightened right now. Just go to the next step and take me outside the firewall, between the client and the Cloud, which is, I think for many IT folks, the scary part.
Cathy Lippert   Another part of the job of the gateway is to coordinate access where you need to get alignment between the legitimate requests and the Cloud services. For example, the coordination of authentication between On Premise systems and the software in the Cloud can be handled really pretty transparently by the gateways in place. Here you can see how requests to the Cloud can be submitted in a secure fashion using the keys and credentials that the Cloud provider is expecting. The gateways really can handle it themselves, even signing the request if that's what's called for. And just a bit more, if you've been working with Cloud providers, you may have noticed that they handle access to resources a bit differently from each other, and that's just another reason why you want to look at gateways that can handle the differences and make it easier to connect to the various resources out there in the Cloud. Once you deal with the requests coming in, and you can handle authentication, the transformations, and the message security, you really have to think about who's making the requests and what they're permitted to do with your services. For this reason, Oracle offers Identity Management. They support a wide range of user access and provisioning practices. In addition, it's responsible for assigning user identity and roles that the software will recognize no matter how many hops or requests and we call this ability to maintain the user identity through all those tiers identity propagation. Identity management is also what you use to define and enforce entitlements for each role. That's about who's allowed to get a request processed by the Cloud software and under what circumstances.
Vance McCarthy:   You know, I think our IT architects and governance folks eyes are lighting up about right now hearing that you're taking such a grander look at security and roles and identity, especially into the Cloud. SO let me just ask you, do you see that you can make these security rights granular, not just to roles, but to the type of traffic, and do these apply across the whole B to B partner site?
Cathy Lippert  

Well, the answer is you can make them quite finely grained. Perhaps a particular client only gets access to the Cloud resource at certain times of day, or the transaction requested by a particular user only gets processed if it's under a particular size, and these are the kinds of circumstantial factors that you can manipulate through fine grained entitlement policies. When we apply policy in the Cloud, we can support security, entitlements, and service levels under a unified policy model with the same core technologies that you might use to govern your own software on Premise. You can specify and enforce all kinds of runtime behavior externally to your software applications using the policy information itself instead of coding it into your application.

Vance McCarthy:   And service levels, I think I heard something that's very important [inaudible] that's out there, especially for talking to the public Cloud. Can you talk a little bit about the applicability to all this identity and governance to service levels?
Cathy Lippert  

Sure. We already mentioned throttling controlled by a policy. In addition, Oracle SOA management helps you meet service levels according to the category of client that you have, whether it be a platinum customer where the contract spells out those Five-Nines with penalties, or whether you have customers of a somewhat lesser status. You can manage your service levels accordingly. Oracle software can also trace an individual transaction virtually anywhere in the technology infrastructure, so if there's a glitch in your environment, you can really pinpoint the clients and the exact business transactions that the problem impacted. The point there is that you can know what the business impact is, not just the technical impact, and these tools give Cloud providers and private Cloud operators a more efficient way to anticipate and resolve application performance problems before they cause a violation of a contract.


Vance McCarthy:   That's just so powerful to make the point that these Oracle suite of technologies are helping the IT folks correlate all these discrete pieces of information into some sort of business level visibility. Really powerful Cathy. Just one more question before you go. Is there a way the Oracle SOA governance solution for the Cloud can let me handle very complicated compliance requirements?
Cathy Lippert  

Well Vance, as you know, perhaps the thorniest problem is regulatory compliance in the Cloud, because one way or another, you have to manage according to modern financial regulations and industry specific laws such as HIPAA for the health care industry. This is all mainly about who can touch your private data and tracking what they have actually done with it. IT's a bit easier in the private Cloud to just extend your existing safeguards. The extra challenge comes when there's another party in the mix, the Cloud provider, and the software is likely to be shared, but the data can't be. So as a consumer of Cloud services you need to put additional requirements into the contracts that you sign with your providers and insist on traceability. Fortunately, there are Oracle strategies to help providers lock down the data that they're responsible for, and I might mention that Oracle itself has to use these strategies when we offer hosted applications like Cebol/CRM on-demand. So we don't just build products of the Cloud, we actually have to use them too.

Vance McCarthy:   You know, speaking of use, Cathy, just to wrap all this together, I see you brought a slide with you that describes how a customer is using all these capabilities to implement SOA based governance for their Cloud based operations. Maybe you could take us through the examples of what customers are doing to pull all these together to a solution.
Cathy Lippert  

Actually the customer is Farmers Insurance. Farmers Insurance has really drawn strong parallels between what it takes to manage a portfolio of shared services in the ordinary SOA environment and what it takes to manage their software in the Cloud. And these people are really living it and making it work, and their observations are really interesting because of course there are technical challenges in the Cloud around multi-tendency and self-service and such that kind of go beyond the idea of policing the Cloud, but we're really struck by Farmer's observation that the control and risk management issues, the stuff around governance, the challenges are so similar between shared services and Cloud. Really on-demand provisioning is probably the one big difference in the governance requirements. So if today you're successfully governing shared services for multiple consumers and stakeholders, you're already pretty well positioned on the learning curve for Cloud. Policing the Cloud has its special challenges as we just noted, but the solutions draw from how we're governing our SOA initiatives already using service level management, security policies, identity management and gateways and repositories and the like. And so governance tools like Oracles are widely applicable in this context. At the end of the day, it's all about building the same confidence in the Cloud that you have in your enterprise system.


Vance McCarthy:   You know, that's a great way to put it, building the same confidence or using the same confidence that you have on your own Premise enterprise SOA journey, and applying that to the Cloud. For folks that want to get a better sense of how they can leverage what they know, and also get a sense of maybe what they don't know enough about when it comes to the Cloud, where can folks go?
Cathy Lippert  

Well, I'd start by signing up for the Social Media from Oracle, because you'll get all the news about what's coming out and some of the support and enablement in addition to the technology news, but there's definitely SOA governance product information on and some of the links listed here, and you can even try some of our SOA products in the Cloud if you like. There's a pointer there as well.

Vance McCarthy:   Great resources, great conversation. Cathy Lippert, Director of Project Management for SOA Governance at Oracle Corporation. Really terrific conversation about how folks can take what they already know about On Premise governance and policy compliance and apply it to the Wild West of the Cloud. Thanks very much.
Cathy Lippert  

Thanks Vance, it was great.