SOA Security (Part 2)

October 1, 2007

Yesterday I was taking apart office furniture, preparing for my move to Asia, and a heavy wooden board slipped off the top shelf of my tall bookcase, hitting me in the head about an inch above my eyebrow. Ouch!

This sounds like a good time to pause and talk about SOA security, which can be quite a headache as well.

Before we get into the technical details, let’s fly up and take a 30,000 foot view of SOA security and tell a few “war stories.”

First of all, as mentioned in Part 1, most of the technologies associated with building a loosely coupled, federated, modular service-based distributed computing environment have little or no built in security functionality. Furthermore, since they were designed, for the most part, to piggyback on plain ole’ web transactions, the firewalls (gates) are open.

In fact, as most will recall, SOA – web services style, was motivated by the success of the web and the desire to expose functionality as a web service so folks would not have to do screen scrapes and other odd mashups. The grand vision was that organizations would expose their web APIs as services, place the descriptions in an electronic yellow pages directory service (registries) and web application developers would find them, and (hopefully) (re)use them. Nice idea, but it really did not go as far as folks envisioned.

So, what happened?

Well, folks started to view SOA as an internal integration platform and shifted the SOA focus to intranetwork integration versus the original lofty promise of cross-organizational Internet integration. In other words, since SOA was a bit too ambitious for the difficult cross-trust relationships between different companies, the implementation model shifted to using SOA technologies within an organization where the trust models are, in theory, less complex.

At the same time software companies found a great opportunity to sell security software for SOA (and make money) so the market has been buzzing, for quite some time now, with SOA security tools and technologies. The result for SOA has been simple and expected:

  • Lots of hype, positioning and promises by vendors; and,
  • Very slow adoption due to security concerns by businesses.

In my next post, SOA Security (Part 3), I’ll write about my experience as the lead architect for the world’s largest fully meshed virtual private network (VPN), built (unclassified, don’t worry I will not give any any secrets!) for the USAF. There are valuable lessons to be learned from this experience, a project from 8 years ago, when looking at enterprise SOA security.


CEP and Rules Reloaded

August 28, 2007

Wait a few moments for the file to download and see what Neo-Architects have to say about CEP….

The Matrix

I know you’re out there. I can feel you now. I know that you’re afraid… you’re afraid of CEP. You’re afraid of change. I don’t know the future. I didn’t come here to tell you how this is going to end. I came here to tell you how it’s going to begin. I’m going to write this blog, and then I’m going to show these people what you don’t want them to see. I’m going to show them a world without you. A world without rules and controls, without borders or boundaries. A world where anything is possible. Where we go from there is a choice I leave to you.

BAM to SOA – Da’ Buzzhype Revisited

June 28, 2007

Many readers have read the hype, experienced the Orwellian marketspeak, watched the positioning debates, and seen poorly managed software companies play the game of analyst-chasing (similar to ambulance chasing when you think about it). Finally, the up-to-date definitions, and hopefully a bit of wit and humor:

BAM (Business Activity Monitoring) – software that gives you real-time visibility into your business. Be careful! Remember that airline flight a number of years ago where the pilot and co-pilot were so fixated on a broken altimeter that they forgot to look out the cockpit window and ran the plane into the ground? Don’t let that happen to your business, OK? Folks get so focused on IT and analyst-chasing they forget to run the business. Be honest, how much time do you waste on the net? Just call it BAM! Hey boss, I’m BAMing right now, I’ll fix it later!

BI (Business Intelligence) – software that gives you historical visibility into your business. Why is looking at historical data referred to as “intelligence” but monitoring real-time operational data is “activity monitoring”? Seems it would be more “intelligent” to monitor real-time data! Anyway, take two and call me in the morning if you still are confused.

BPM (Business Process Management) – software that manages business processes, normally dumbed down to mean some sort of rules-based workflow engine. BPM must be SOA based since software companies must sell more of the same old software (SOS) to meet their quarterly revenue targets. BPM must be EDA based, and CEP based, and have a BRE and work with a BRMS…. well you get the idea. Go out and buy one!

CEP (Complex Event Processing) – software that provides actionable intelligence from the nebulous “data cloud”, conceptually too complex for mere mortals to understand. Marketeers are working hard to eliminate the word “complex” because they think no one buys anything “complex”. Folks attempted to dumb-it-down to Event Stream Processing to process time-series data and then said “there is no spoon, it is your mind that bends!

EDA (Event Driven Architecture) – the same as an SOA when SOA is “Da’ Big Market Hype” and different than SOA when trying compete against other SOA vendors, when you are flying at 20,000 feet, all the houses look the same, so who cares; anyway, snowbears and snow are the same thing at 5,000 feet. My lawn looks great from 2,000 feet. Some people say I’m a handsome fellow from 50 feet away. Well, you get the idea 🙂

ESB (Enterprise Service Bus) – software that manages data sharing between heterogeneous applications, but not in a way that actually works unless you buy MY ESB! Interoperability means less information technology revenue, so software companies driven by quarterly revenue announcements must make sure that their ESB is better than your ESB! Interoperability decreases middleware sales revenue! We can’t have than now, can we?

ESP (Event Stream Processing) – the same as CEP if you want it to be. Nevermind stream processing is different than cloud processing and that time-series data processing is different than rules processing. Nevermind that backwards chaining is different than forward chaining. Nevermind that measuring rain fall amounts is different than weather forecasting. Nevermind that rule-based processing is only a small segment of the event processing market. It’s all the same if you want it to be!

SOA (Same Old Architecture) – software that manages data sharing between heterogeneous applications, but not in a way that actually works unless you buy MY SOA! Originally envisioned for web-based cross-organizational distributed computing, but that was too hard, SOA became a religion, where you had to have one and spend millions to build one even thought your business worked fine before! Iron plumbing not in style? Let’s rip it out and change it to copper. SOA is another type of task fixation, where software companies without leadership get caught up in analyst-chasing and and run the business into the ground!

Got a favorite buzzword that the analysts are hyping? Feel free to comment. Free your mind. Remember, it is not the spoon that bends, it’s your mind! But the unanswered question is, “Who is bending your mind?”

Copyright © 2007 by Tim Bass, All Rights Reserved.