> Archive > Issue LV: October 2011 > Thunder Clouds: Managing SOA-Cloud Risk - Part I


Thunder Clouds: Managing SOA-Cloud Risk - Part I

Published: October 12, 2011 • Service Technology Magazine Issue LV PDF

Abstract: This is the first article in a two-part article that discusses how we can manage risk while leveraging emerging cloud technologies using service-oriented architecture (SOA).

Figure 1 – Thunder Clouds, Florida
Wikimedia Commons
The fog comes
on little cat feet.
It sits looking
over harbor and city
on silent haunches
and then moves on.

Carl Sandburg, 1916


Clouds in nature are both the wonder and the sorrow of humanity. White puffs drift across blue skies and streaks of neon and gold at dusk are a sight of beauty and awe. But the days pass and we see the violence of tornadoes, blizzards, and hurricanes. And even fog as gentle as cat feet can send trucks off cliffs and ships into rocks.

Commercial clouds provide leanness and savings, extend service-oriented principles, and represent a shift in how we practice information technology (IT). But SOA-clouds (SOA-C) can also expose us to loss. The purpose of this article is to explore why clouds are inevitable, where they can fail, and how we can mitigate risk. We'll discuss the following:

  • Clearing the Mists: Definitions, Drivers, and SOA
  • Thunder Clouds: Challenges and Solutions
  • Cloud Contracts: Trust and Consideration
  • Conclusion: Blue Skies

Clearing the Mists: Definitions, Drivers, and SOA

Information technology clouds are a figure of speech. Fog with cat feet conjures an image in the same way that IT clouds conjure an image. We have a vague idea that our wattage comes from reactors, water, wind, or diesel and have no control over the grid that transmits that power. The power company cares only that we pay for that current and we care only that it's reliable and cheap. Services that were once tangible are now virtualized in the same way that electricity is a service. This metaphor speaks both to the goal of hiding the operating of services from those who consume those services as well as to the haze and hype that surround clouds. The internet delivers cloud services using virtual machines that abstract its delivery from the hardware.

The deployment of enterprise computing has changed only glacially since the days of the IBM System/360 when children were watching pre-industrial and futuristic cartoons on their rabbit ear television set.

Figure 2 – Bedrock [REF-1]
Wikimedia Commons

Figure 3 – Orbit City [REF-2]
Wikimedia Commons
Pre-Cloud Deployment Model
Cloud Deployment Model

Figure 4 – Bedrock

Figure 5 – Orbit City

In Figure 4, Bedrock's data centers have concentrations of hardware with rising fixed costs but little elasticity in response to changing market conditions. Human resources consist of mole farms of on-site staff. In Figure 5, Orbit City's data centers share infrastructure, storage, and development just-in-time resources through clouds as represented by the ovals. Personnel are largely offsite, contingent, and global. The principle of parsimony is that entities shouldn't be multiplied save out of necessity. Orbit City is a triumph of that principle where Occam's Razor has slashed redundant entities to produce bottom-line savings, as this chart suggests [REF-3]:

Strategic Goals Functions Bedrock Orbit City
Increase speed and flexibility Test Provisioning Weeks Minutes
  Change Management Months Hours
  Release Management Weeks Minutes
  Service Access Administered Self-service
  Standardization Complex Reuse/Share
  Metering/Billing Fixed Cost Variable Cost
Reducing Costs Server/Storage Utilization 10-20 Percent 70-90 Percent
  Payback Period Years Months

Table 1

Orbit City puts the savings that clouds realize into marketing, talent, mergers, expansion, and rewarding shareholders.


The National Institute of Standards and Technology (NIST) defines clouds as a model for enabling convenient, on-demand network access to a shared pool of configurable resources, such as networks, servers, storage, applications, and other services, that can be rapidly provisioned with minimal management effort or service provider interaction [REF-4]. There is a notion that we somehow deploy resources from the ether. Just as we could theoretically realize SOA using smoke signals, so too we could realize clouds using a wheel barrow. As the NIST definition implies, it isn't the internet that defines clouds but the sharing of resources. The vision of clouds is to shift commodities into services. It's a utility service, similar to the Plain Old Telephone Service where telephone lines and switching networks are rendered as a pay-as-you-go service. Clouds are available to multiple tenants who enjoy peaceful co-existence with each other with no adverse interference from systems or enterprises that use the same interfaces.

Clouds also overlap other definitions. Grid computing is a form of distributed computing using platform virtualization. On-demand computing is computing that is service-based, such as cloud computing and utility computing. Utility computing aggregates computer resources for supply on a metered basis, like electricity, or on a time basis, like a newspaper subscription.

The intercloud is a theoretical construct of all public clouds. Like cloud federation and the semantic cloud, it provides interoperability through virtualization that is application programming interface (API) and platform neutral. Semantic clouds relate more to meaning than to execution. It accommodates unstructured data, facilitates metadata and data transport, and supports joins and other operations across networks.

Types of clouds include public, private, and hybrid clouds.

Public Clouds

Public clouds are available to the general public or a large industry group. It's owned by an organization selling cloud services. Public clouds are for processes that are easily standardized and have a lower security risk. A community cloud is a shared public cloud that is exclusive to several organizations and supports a specific community that has shared concerns, such as mission, security requirements, policy, and compliance considerations.

Private Clouds

Private clouds are operated solely for an organization and are usually implemented on client premises. Third-party vendors manage private clouds. An enterprise will leverage off public clouds to justify its private clouds. Because firms expect private clouds to export the same APIs as public clouds, they tend to build hybrid rather than private clouds.

Hybrid Clouds

A hybrid cloud has private, community, or public clouds that remain unique entities but are bound together by technology that enables data and application portability, such as cloud bursting for load-balancing. Cloud bursting offloads additional work to a cloud on an on-demand basis after we have exhausted non-cloud resources.

Testing-as-a-Service, Security-as-a-Service, Governance-as-a-Service, and Change Management-as-a-Service are all cloud components that can reduce the staffing, hardware, and software footprint of an enterprise. But the most typical cloud components are Software-as-a-Service, Platforms-as-a-Service, and Infrastructure-as-a-Service.


Software-as-a-Service (SaaS) is a deployment model where a company licenses or makes available an application to customers. Office productivity tools, social media, e-mail notification, business process management, information sharing wikis, and enterprise resource planning suites are examples of SaaS. Users typically access the software and associated data using a thin client web browser.


Infrastructure-as-a-Service (IaaS) is the delivery of storage, hardware, servers, facilities, telecommunications, and networking components to support IT operations. IaaS cloud services include elastic computing, simple storage services, metering and billing, elastic load balancing, and automatic scaling.


Platform-as-a-Service (PaaS) is the delivery of a computing stack, including application development, interface development, database development, storage, security services, directory services, and testing. PaaS providers offer API application and development and hosting services. PaaS is an extension of IaaS. It provides another layer of abstraction on top of the computing backbone to allow us to regulate and execute the systems that sit on that frame.

Figure 6 – Enterprise Firewalls Separate Private/Hybrid and Public Clouds

Figure 6 depicts the PaaS, SaaS, and IaaS components of clouds that can support most enterprises. Clouds consist of virtualized services, resources, and technologies. Virtualization services manage the control of resource utilization and dynamic provisioning.

Virtualization technologies include hypervisors, parallelization, partitioning, emulators, virtual ethernets, virtual input/output adapters, Internet Small Computer System Interfaces (iSCSI), virtual local area networks (VLAN), Redundant Array of Independent Disks (RAID), and vendor specific technologies

Cloud Business and Technology Drivers

The drivers for clouds are the same drivers that that sends IT talent onshore and into our best universities and corporations and software development offshore. Capital is in a global search for efficiencies and capitalism's invisible hand exposes those efficiencies. Anyone who nurtures a backyard garden knows that the real cost of that head of lettuce isn't the $1.48 that we would pay in a grocery store. It's more like $148 per head when we consider the true costs. That cost come from a lack of scale, a lack of skills, and a lack of standard operating procedures. Under the cloud paradigm, providers absorb those sunk costs and shares the risks with its consumers. To use the garden analogy, the cloud provider supplies the land, tools, seed, and skills to allow sufficient production to get the price of the lettuce under the cost of the rent of all services.

We can underestimate the scale needed to achieve profitability. The United States Homestead Act of 1862 attracted immigrants from Europe with the lure of 160 acres. But most came to see that patch of land would make dire living a fact of existence. Only about forty percent of homesteading pioneers gained title. A century and a half later, satellite-guided combines harvest grain on farms that are tens of thousands of acres. Megastores, megamalls, planned communities, and the rise of the European Union have emerged to deliver cost-driven efficiencies. Such a model doesn't ensure profit, but it does reduce overhead to create earnings, growth, and the ability to raise prices without losing customers.

Patterns of technology decades in the making are driving cloud adoption. Resource sharing isn't new with time sharing computers that date back to the early 1970s. The use of data warehousing brought distributed computing and the grid. Increasing network speed and bandwidth with falling prices of chips allowed us to consider computing as a single computational and storage device. These breakthroughs allowed enterprises to realize strategic goals of reducing energy costs, increasing efficiency, and enhancing business agility. The cloud model also flattens the project development bell curve, where effort is expended disproportionately throughout the project lifecycle while the cost of effort remains constant.

Clouds are the result of the cost of digital communication falling to close to zero and the demand for digital storage climbing close to infinity. Computing power doubles every 18 months under Moore's law, driving down the cost of a transistor from about ten dollars in 1965 to less than one millionth of a dollar at present. The amount of data stored doubles each year and grows exponentially under the Law of Mass Digital Storage. From 1990, hard disk drive capacity for personal computers accelerated at a compounded rate of 65 percent each year. The value of a telecommunications network is proportional to the square of the number of connected users of the system under Metcalf's Law. The number of network users is about 1.5 billion and rising. On average, 70 percent of an IT budget is spent on maintaining its current infrastructure rather than adding new capabilities. Data centers are underutilized about 85 percent of the time. The United States federal government's data centers have over 150,000 servers and had an average utilization rate for those servers from five to fifteen percent. It spends over $75 billion annually on IT and is now making an effort to embrace clouds, as are the governments of many other modern nations [REF-5].

SOA and Clouds

SOA is a design pattern that advocate loose coupling to compose business objects. It's a model that doesn't restrict who is the consumer. SaaS and similar cloud components is a consumption model. Technical components of a SOA may include multi-tier distribution and XML messaging and web services. Web oriented architecture (WOA) exposes SOA services over internet using HTTP/S as the protocol for transport and Representation State Transfer (REST) and web services for invocation and messaging. We can deploy SaaS into the cloud and implement it using web services. Cloud clients are then exposed through a browser for metered consumption or can be consumed by non-web client by application programming interface (API) binding.

The focus of SOA is on application reuse tied to business processes. The focus of clouds is on the on-demand, dynamic use of physical resources. The SOA-cloud (SOA-C) symbiosis features optimum orchestration of services combined with optimum elastiticity of resources, such as processing power, storage, and number of instances. A well-designed SOA must not be limited in resources. SOA-C is the best way to house those resources. Given the pressure on operating budgets, IT leadership teams will look with increasing favor on marrying SOA and clouds.

SOA enables present-day cloud computing. Cloud computing is an extension of SOA. The SOA framework integrates into the cloud framework. Cloud computing in nowise replaces SOA. They both complement each other and we can pursue SOA and clouds independently or concurrently. Although SOA and clouds can be autonomous, the best practice is to consider clouds as a subset of SOA, as SOA middleware can help in modeling, managing, and monitoring of cloud as well as web services. For clouds and like SOA, the physical infrastructure must be discoverable and decoupled.

We should determine what services should reside in clouds and what cloud services we can abstract in SOA. With clouds, the cost of reuse shifts to providers. Once a sufficent number of legacy-wrapped components exist, the can be reassembled to solve other problems. The overlap between cloud computing and SOA is application layer components and services, network dependency, wide area network (WAN) services invocation, leveraging and reusing IT assets, and the producer/consumer model.

Figure 7 – SOA/Cloud Convergence

Figure 7 depicts the PaaS, SaaS, and IaaS components of clouds on a SOA bus sufficient to support most enterprises. Applications, data, and mobile endpoint devices are dispersed in the presentation layer. Services reside in non-cloud environments and also in private, hybrid clouds, or public clouds as suggested by the ovals. We could place account payable and account receivable services in a private cloud that pulls in SaaS, PaaS, and IaaS resources that the bus orchestrates. Public clouds could deliver less secure mash ups, such as a cartographic service and a podcast service.


Knowledge and resources from outside the enterprise triggers quantum leaps in progress. The broad sweep of history shows that progress waxes and wanes depending on how people connect with dispersed sources of information. "Human technological advancement depends not on individual intelligence but on collective idea sharing, and it has done so for tens of thousands of years," Matt Ridley notes [REF-6]. SOA asks the question: how can we replace redundant functions? It seeks to de-silo departments with common services. Clouds ask the same question but looks for the answer in SaaS. It seeks to de-silo the enterprise from solutions available anywhere. SOA might construct a common reservations service, for example, while SaaS provides a reservation service that other enterprises use. Just as SOA exposes collaborative services and just as data warehouses store collaborative data, so too can clouds provide collaborative resources. We can deploy these services, data, and resources to not just expand existing markets but to create new markets. But with these rewards from clouds come risks. These include concerns about security, performance, availability, integration, customization, regulatory compliance, and cost. The second part of this article that will be published in the November 2011 issue of The Service Technology Magazine will discuss these issues and their resolution.


[REF-1] Fair use rationale: For critical commentary as fair use under United States copyright law. See Source

[REF-2] Fair use rationale: For critical commentary as fair use under United States copyright law. See Source: Uploader used a capture device to create this screenshot from a broadcast of "The Jetsons" on the Boomerang Channel (station logo removed with paint program).

[REF-3] Christopher Ensey ,"Security and Cloud Computing", IBM Institute for Advanced Security, 2010.

[REF-4] Peter Mell and Tim Grance, "The NIST Definition of Cloud Computing", National Institute of Standards and Technology. October, 7, 2009, Version 15.

[REF-5] Brand Niemann, "Semantic Cloud Computing With Open Linked Data Using Resource Description Framework (RDF) in Lieu of XML Technical or Capability Pattern", October 29, 2009, United States Environmental Protection Agency (Draft).

[REF-6] Matt Ridley, "From Phoenecia to Hayek to the Cloud", The Wall Street Journal, September 24-25, 2011, A15.


Government cloud initiatives include the following:

United States

  • Federal Chief Information Officers Council
  • and IT Dashboard
  • Defense Information Systems Agency (DISA)
  • Rapid Access Computing Environment (RACE)
  • US Department of Energy (DOE)
  • Magellan
  • General Services Administration (GSA)
  • Department of the Interior
  • National Business Center (NBC) Cloud Computing
  • NASA Nebula
  • National Institute of Standards and Technology (NIST)

United Kingdom

  • G-Cloud

European Union

  • Resources and Services Virtualization without Barriers Project (RESERVOIR)


  • Canada Cloud Computing
  • Cloud Computing and the Canadian Environment


  • The Digital Japan Creation Project (ICT Hatoyama Plan)
  • The Kasumigaseki Cloud


I wish to thank the following individuals who reviewed and critiqued my paper: Steve Wisner, Director, IT, Genworth Financial and Errol Ryland, Director, MSS Technologies, Inc.