Innovative Marriage of Security and Performance in SOA Based Dynamic Enterprises
30
1 Innovative Marriage of Security and Performance in SOA Based Dynamic Enterprises Presented by: Dr. Mehmet Yildiz IBM Certified Executive IT Architect [email protected]S O L E A Service-Oriented Locally adapted Enterprise Architecture Proposed Abstract: “All enterprise systems have two key concerns: security and performance. All CIO / CTOs have these two in their daily agenda through the life cycle of their mission critical business systems. These two aspects hardly go along well unless specialised design considerations, innovative techniques and methodical practices are applied. Finding the right balance for security and performance marriage is a significant challenge for dynamic enterprises especially when the Service Oriented Architecture (SOA) is the key enabler of it. This paper aims at identifying key security and performance factors for SOA projects in dynamic enterprises and how they can be efficiently architected for desired business outcomes. In this paper, the experience based claims are substantiated with industry based literature review and a sample case study from the field.” Sponsors: -Helsinki University of Technology -University of Kuopio Abridged version
Innovative Marriage of Security and Performance in SOA Based Dynamic Enterprises
This presentation is about performance and security aspect of SOA (Service Oriented Architecture) in developing an end to end EA (Enterprise Architecture) for large organisations.
Citation preview
1. SOLEA Service-Oriented Locally adapted Enterprise
Architecture Innovative Marriage of Security and Performance in SOA
Based Dynamic Enterprises Sponsors: Presented by: -Helsinki
University of Technology Dr. Mehmet Yildiz -University of Kuopio
IBM Certified Executive IT Architect [email protected] Abridged
version Proposed Abstract: All enterprise systems have two key
concerns: security and performance. All CIO / CTOs have these two
in their daily agenda through the life cycle of their mission
critical business systems. These two aspects hardly go along well
unless specialised design considerations, innovative techniques and
methodical practices are applied. Finding the right balance for
security and performance marriage is a significant challenge for
dynamic enterprises especially when the Service Oriented
Architecture (SOA) is the key enabler of it. This paper aims at
identifying key security and performance factors for SOA projects
in dynamic enterprises and how they can be efficiently architected
for desired business outcomes. In this paper, the experience based
claims are substantiated with industry based literature review and
a sample case study from the field. 1
2. SOLEA Agenda -Introduction -Theme 1: EA and SOA in Dynamic
Enterprise -Theme 2: SOA Performance Research -Theme 3: SOA
Security Focus SOA Reference Architecture QoS -Conclusion Layer 7
Perf/Sec 2
3. SOLEA Introduction and Methodology Purpose Share experience
SOA and EA are important Data collection, analysis and validation
of results Lessons learnt out of over 50 projects Interaction
(surveys and interviews) with over 100 architects Industry
literature Academic research papers Invention disclosures
Experience from 3 full cycle SOA and 10 EA engagements Leader of
Architecture Lessons Learnt CoP harvesting IP from field Validation
of findings with selected top 10 SOA practitioners from diverse
organisations and industries Still so much to learn! 3
4. SOLEA Theme 1: EA and SOA in Dynamic Enterprise S A O EA ESB
4
5. SOLEA Evaluation of Current Architecture Frameworks CS1 None
of the assessed frameworks fully meets the major criteria in the
Regensburg study. Hence use of combination of frameworks is
suggested. 5 Ref: Susanne Leist and Gregor Zellner University of
Regensburg, Institute of Information Management, Germany
6. SOLEA SOA Vendors for New Systematic Applications Gartners
Magic Quadrant for Application Infrastructure for New Systematic
SOA Application Projects There are many vendors investing on SOA
Application Projects. Leveraging their experience is important 6
Ref: Gartners Magic Quadrant for New Systematic Applications
7. SOLEA Key SOA Concepts a service? service orientation? A way
of integrating your A repeatable business business as linked
Composable services task e.g., check customer credit; open and the
outcomes that new account they bring Interoperable SOA SOA
Re-Usable Re- Loosely service oriented Coupled a composite
architecture (SOA)? application? An IT architectural style A set of
related & that supports integrated services that service
orientation support a business process built on an SOA 7
8. SOLEA Definition of Service and System - Technically Extract
from Webster Service A service is a program we interact with via
message exchanges System A system is a set of deployed services
cooperating in a given task Services Science An interdisciplinary
approach to the study, design, and implementation of services
systems complex systems in which specific arrangements of people
and technologies take actions that provide value for others. 8 Ref:
Webster Dictionary
9. SOLEA Service Integration Maturity Model (SIMM ) Typical SOA
Projects SOA Maturity Assessment Dynamically Composite Virtualized
Re-Configurable Silo Integrated Componentized Services Services
Services Services Componentized Processes Provided Mix & match
Outsourced Isolated Business Business Process Componentized
Business Provides & Consumed via business capabilities Business
services; BPM Line Driven Integration Business & Consumes
Composite Business via context-aware and BAM Services services
services SOA and IT Governance Ad hoc LOB IT Ad hoc Enterprise
Common SOA and IT Organization Emerging SOA Infrastructure
Implemented Strategy & IT Strategy & Governance Governance
Governance Governance using automated Governance Governance
processes Alignment Alignment Policies Service Structured Object
Component Service Service Grammar Oriented Methods Analysis &
Oriented Based Oriented Oriented Oriented Modeling for Design
Modeling Development Modeling Modeling Modeling infrastructure
Dynamic Applications Application Applications composed of
Virtualized Modules Objects Components Services Assembly; Composite
Services context-aware Services invocation Dynamically Re-
Architecture Monolithic Layered Component Emerging Grid Enabled SOA
Configurable Architecture Architecture Architecture SOA SOA
Architecture Enterprise Virtualized Application LOB or Enterprise
Information as a Business Data Semantic Data Information Canonical
Models Information Specific Specific Service Dictionary &
Vocabularies Services Repository Context-aware Common Project-based
SOA Infrastructure LOB Platform Platform Common SOA Event-based
Reusable SOA Environment; Specific Specific Environment Sense &
Infrastructure Environment Sense & Respond Respond 9
http://www.opengroup.org/projects/osimm/ 3 Level 1 Level 2 Level
Level 4 Level 5 Level 6 Level 7
10. SOLEA Why SOA An executive view The paradigm shift of using
services instead of APIs Composable means simplified interaction,
less communication, rs artne and reduced complexity le p ultip
Interoperable SOA SOA Re-Usable Re- to m SOA necti ng Loosely con
Resource Coupled Train* erfa c e e int Reuse Business es ingl ur gh
sec Application Agility Throu Integration Infrastructure
Flexibility Business Application Resources Standards-based approach
Infrastructure Processes speeds business process Architecture
automation SOI 10 *Concept created by Mehmet Yildiz, 2007, IBM
11. SOLEA A SOA Reference Architecture Sample CS1 Enterprise
Architecture Ref Architecture for Ref Architecture for a Service
Areas Ref Architecture for a Program Single Project 11Ref: IBM and
Open Group
12. SOLEA 7 Concerns at Layer 7 - QoS CS1 1.Increased
virtualization 2.Loose coupling Layer 7 3.Widespread use of XML
4.The composition of federated services 5.Heterogeneous computing
infrastructures 6.Decentralized SLAs 7.The need to aggregate IT QoS
metrics to produce business metrics 12Ref: IBM and Open Group SOA
Reference Architecture
13. SOLEA Security and Performance Relationship Performance
Belief: The harder the security the lower the performance in any
SOA project Security 13
14. SOLEA Security vs Performance in Dynamic Enterprises CS1
Balance of Dynamic Enterprise Dynamic SOA* Supports Dynamic
Applications Supports Dynamic Infrastructure Security Security
Performance Supports Dynamic Operations Availability and
Satisfaction Dynamic Dynamic Security Performance 14Concept
introduced by Mehmet Yildiz, 2007, IBM
15. SOLEA Theme 2: SOA Performance heterogeneous abstraction
infrastructures Performance federated open service standards
ecosystem Compliance Internal Governance distributed Open computing
protocols 15
16. SOLEA Major Source of Performance & Scalability Issues
CS1 Architecture 19% Development 56% Production 25% 16 Ref:
Optimizing Service-Level Performance, Jean-Pierre Garbani Forrester
Research
17. SOLEA [An Observed] SOA Perf/Sec Effort Indication* CS P-H
=Case Studies P-H S-H 1, 2, 3 S-H Operational Services Support
Integration S-M P-M =Complexity Indicators P-M S-M Extreme
Infrastructure P-M Build S-M High Application n Packaging esig P-M
P-L e &D S-M Code Data Migrationtur S-L tec l Ar chi Medium t
ua Ac d ne Plan Low 17Ref: SOA performance assessement research
results by Mehmet Yildiz, 2008, IBM
18. SOLEA Performance Complexity Indication CS1, 2, 3 Code
Application Operations / Infrastructure Production Services
Integration 18Ref: Concept and research results by Mehmet Yildiz,
2008, IBM
19. SOLEA Performance with FastSOA SS FastSOA is an
architecture and software coding practice that addresses 3 key
problems: 1 Solves the SOAP binding 1 Solves the SOAP binding 2.
Uses native XML 2. Uses native XML 3. Introduces a 3. Introduces a
(proxy) performance problem (proxy) performance problem persistence
to avoid persistence to avoid mid-tier service mid-tier service by
reducing the need for Java by reducing the need for Java
XML-to-relational cache to provide XML-to-relational cache to
provide objects and increasing the use objects and increasing the
use transformation transformation SOA service SOA service of native
XML environments to of native XML environments to provide SOAP
bindings. performance problems. performance problems. acceleration.
acceleration. provide SOAP bindings. 19 Ref:
http://www.ibm.com/developerworks/xml/library/x-accsoa/
20. SOLEA Benefits of SOA Appliances SS Hardened &
specialized Meet Higher levels of hardware for helping to security
assurance integrate, secure certifications (government Many
functions FIPS Level 3 HSM) and accelerate SOA integrated into a
single device Higher performance Simplified deployment with
hardware and acceleration ongoing management (more security checks
without slow downs) 20 Ref: Extracted from IBM Websphere Datapower
White Paper
21. SOLEA Simplification with SOA Appliances SS CS1 21 Ref:
Extracted from IBM Websphere Datapower White Paper
22. SOLEA Popular SOA Management Tools SS CS1 The complexity of
SOA environments and applications demands management tools from
inception to deployment to operations and beyond. Tools
(Alphabetically) Summary of Key Functions AmberPoint's A
policy-based run-time governance software suite, SOA performance in
production. Includes a run- time repository, service network
monitoring, SOA security, service-level monitoring. SOA Management
System: BMC Software's AppSight: Performs automated problem
resolution in SOA implementations to alleviate and eliminate
application problems. CA's Wily SOA Solution: Monitors the
performance and availability of Web services, application
performance on client machines and other components in the SOA
environment. HP's SOA Manager: The software can define and maintain
a dynamic model of services, including software assets and virtual
servers; and manage application and Web services performance within
that SOA model. IBM's Tivoli Composite Application Monitors,
manages and controls the Web-services layer of IT architectures,
and identifies the source of bottlenecks or failures. Manager
(ITCAM) for SOA: iTKO's LISA Enterprise SOA Focuses on the software
performs unit, regression, functional and load testing, as well as
post deployment monitoring tasks. Testing platform: Mindreef's
SOAPscope Server: Enables task-oriented collaboration regardless of
role, skill set or development environment -- which makes it
possible to find quickly and address any performance problems that
arise, the company says. OpTier's CoreFirst Monitors the
performance of services, components and transactions. Progress
Software's Actional for Uses agent technology that watches messages
entering and exiting XML appliances and application servers to
build a map of what happens in an SOA infrastructure. Helps with
performance alerting, SOA Operations dependency analysis, problem
detection and resolution. Tidal Software's Intersperse Enables the
proactive detection of problems, problem localization and
root-cause analysis.
http://www.javaworld.com/javaworld/jw-10-2007/jw-10-soa-management-tools.html?page=11
22
23. SOLEA Theme 3: SOA Security heterogeneous abstraction
infrastructures federated open service standards ecosystem
Compliance internal Governance Security distributed Open computing
protocols 23
24. SOLEA Typical Security Architecture for an Enterprise CS1
Externally Highly Controlled Secure Zone External Business Zone
External Internal Zone Uncontrolled Demilitarized Zone Special
Domain 24
25. SOLEA Typical SOA Security Architecture CS1 25 Ref: IBM SOA
Security Red Book, Dr. Paul Ashley et al
26. SOLEA SOA Security Reference Model by IBM CS1 26 Ref: IBM
SOA Security Red Book, Dr. Paul Ashley et al
27. SOLEA Top 10 Security Principles for Dynamic Enterprises
From National Institute of Standards and Technology Key Points
Descriptions CS1 Only grant access to what is required. 1. Least
Privilege Relying on more than one component or mechanism to be
secure, failure of a 2. Defense in Depth single security solution
may compromise the entire security. Forces attackers to use a
narrow channel of access where actions can be 3. Choke Point
monitored and controlled. Security is only as strong as the weakest
link. Smart attackers will seek the 4. Weakest Link weakest point
to attack. Systems should fail in such a way that it denies access
to an attacker rather than 5. Fail-Safe Stance grants access.
Everyone needs to be concerned with security. Failure from one
person or or area 6. Universal Participation can be dramatic! Do
not rely on only one (type of) system or application for security,
no matter how 7. Diversity of Defense strong or comprehensive it
may be. (e.g. one firewall). The more complex the security
environment, the riskier it is for security. 8. Simplicity To
minimize the amount of damage that can be done to an environment
(or 9. Compartmentalization system), break the environment up (or
system) into isolated units. Historically, insiders account for 65%
of all attacks. Protections should make little 10 Inside/outside
threats difference for an inside or outside attack.
http://csrc.nist.gov/publications/nistpubs/800-27/sp800-27.pdf 27
There are 33 important principles by NIST!
28. SOLEA Granular Security Assessment feeding SM CS1 Subsystem
Components and Elements for Each Subsystems and Functions Impact
Likelihood Credential Subsystem Insignificant Minor Moderate Major
Catastrophic Almost Certain Information Flow Control Subsystem
Likely Access Control Subsystem Moderate Security Audit Unlikely
Subsystem Integrity Rare Subsystem 28 Adapted from IBMs Systems
Engineering Method
29. SOLEA SOA Security Architectural Decisions Samples
Documenting and obtaining sign Decision 2: off for the
architectural decisions Provide authorization at every layer at the
very beginning of the SOA in the architecture Course grained
project is essential at the point of contact servers Increasing
more fine grained towards the back-end systems Decision 1: Use SAML
2.0 Browser Artifact Profile for Federated web single sign-on
Decision 4: Use only standards based interconnections Decision 3:
WS-Security Use point of contact servers in a DMZ environment for
all in-coming and out- WS-Trust going transactions. Use hardware
SAML appliances for dealing with web services messages WS-I Basic
Security Profile 29
30. SOLEA Conclusion Messages PERFORMANCE & SECURITY IS
(E2E) LONG TERM JOURNEY. Map PM to SM! A tight relationship for
desired results! Target is SIMM Level 7! Security and performance
EA is important SOA also helps EA to are like Ying & Yang,
hence for successful be more efficient for require balance all the
time SOA projects & an organisation provides a map Every
marriage require Every marriage require Performance &
Standards, policies, commitment. & lifetime commitment. &
lifetime security work MUST models, compliance, agility and
architecture support so does SOA marriage support so does SOA
marriage start from inception! of security & performance of
security & performance Any delay is a critical are very
important factors factor for SOA QoS Beware, SOA projects require
different Use of methodical and approach than traditional SOA
projects are systematic approach projects and may take full of
unknowns produce better results longer and may cost depending on
for SOA more; it is not number of necessarily easiest! services. 30
Ref: Extracted from M. Yildiz SOA Performance and Security Paper,
2008