> Archive > Issue LVI: November 2011 > Issue LVI - Thunder Clouds: Managing SOA-Cloud Risk - Part II


Thunder Clouds: Managing SOA-Cloud Risk - Part II

Published: November 17, 2011 • Service Technology Magazine Issue LVI PDF

This is the second article in a two-part article that discusses how we can manage risk while leveraging emerging cloud technologies using service-oriented architecture (SOA). Read the first part of this article here.

Thunder Clouds: Challenges and Solutions

Most skepticism about adopting clouds relates to quality of service concerns, especially security, performance, and availability.

Cloud Security

Securing sensitive data and protecting systems from intrusions is the chief concern for companies that are considering clouds. These concerns include unauthorized data access, malicious insiders, self-service compromise, insecure APIs, account or service hijacking, and uncertainty over data location and continuity planning, disaster recovery, and system resiliency. Insider threat is a significant concern. In an earlier article, I suggested the paradox that the only theory of SOA security is that there is no theory of security, and the same must be true with clouds [REF-1]. But there is much we can do to mitigate security-related failures in clouds so that the risk of failure is no less than if we didn't have clouds.

We should minimally expect that data centers of public clouds are physically hardened. They should be open to client audits, with keystroke tracking, closed circuit television of operational areas, cooling systems, biometric cages, and uninterruptible power supply backup generators. Software should consist of firewalls with intrusion prevention and virus, spam, and root kit detection. Providers, whether public or private, should conduct regular smoke tests, ethical hacking, and legal, geopolitical, and technical reviews. The provider should align cloud construction with common reference architectures and SAS 70 and ISO/IEC 27002 security standards. Providers must segregate client resources and providers cannot touch those resources. All backup data and client communications should be encrypted, not merely personally identifiable data. Dashboards should provide event correlation and traffic analysis as well as white and black lists of privileges.

The promise of clouds lies in its ability to scale resources across Java, .NET, and mainframe environments. The corollary is that developers can construct services that integrate into the cloud and that can be rapidly prototyped. Integration also means that we can relocate virtualized resources, reconstruct damaged cloud resources, and restore data and software from gold copies. We should have the ability to support customizable points of contact in public or hosted private clouds. A concern is the loss of control that comes from vendor lock-in of technology and procedures. The provider typically will offer out-of-the-box vanilla solutions with the ability to migrate configurations, programs, and schema enhancements. In general, clouds are a good solution if applications and data are not closely coupled, the highest security is not required, and integration points are well defined.

Cloud security is a set of concentric, redundant rings of in depth protection starting with physical security and including end-to-end network security. The key to security hardening by cloud providers is to have a robust federated identity management architecture. The effect is that cloud computing can be more secure than traditional IT infrastructure as application-level, transport-level, message-level, and SOA-level security supplement and strengthen cloud security mechanisms.

Application-Level Security

Application-level security should stand alone. It should remain decoupled from cloud or SOA security. All levels of security require service level monitoring and extended logging. Network traffic is filtered by protocol, port or source IP address. Databases are restricted by instance, table, column, and groups. Access control can be either attribute (ABAC) or role (RBAC) based. An AB access control model is based on subject, object, and environment attributes and supports both mandatory and discretionary access control needs. A RB approach restricts system access to authorized users using a hierarchical creation of roles and privileges.

Transport-Level Security

Most services support transport-level security (TLS). TLS lets us transmit a gigabyte of data from Singapore to Stockholm using Secure FTP (SFTP), an extension of TLS and Secure Sockets Layer (SSL) cryptography. TLS is a point-to-point message exchange with messaging in the clear after reaching the SSL endpoint. The entire message is encrypted and the sender must trust all intermediaries. SSL is the most widely used TSL communication protocol providing authentication, confidentiality, message integrity, and secure key exchange between clients and services. It secures communication at transport level rather than at message level. Resources are made available on a fine-grained, self-service basis over the internet with virtual private networks (VPN). A VPN provides a secure communications mechanism for messages transmitted between endpoints. It encapsulates data transfers between networked devices that aren't on the same private network so as to keep that data private.SSL/VPN is a form of VPN that can be used with a web browser.

Message-Level Security

Message-level security is end-to-end, granular, and transport independent with many security options. MLS encompasses other standards, including XML encryption, XML signature, and X.509 certificates, a signed data structure designed to send a public key to a receiving party. It provides message self-protection and different security policies and be applied to request and response transportation. MLS offers more flexibility than TSL and facilitates end-to-end security for the Simple Access Object Protocol (SOAP) message through all intermediaries. MLS specifies whether the SOAP messages between a client application and a Web service should be digitally signed and encrypted.

SOA-Level Security

We can realize SOA-level security through web services and the Java framework [REF-2]. SOA-C can use a variety of federated single sign on (SSO) protocols, including Security Assertion Markup Language (SAML), WS-Federation, WS-Trust, Liberty ID-FF, Information Card Profile, and Open-ID. Under SSO, a user wielding a web browser user agent requests a web resource protected by a service provider. The service provider issues authentication requests to an identity provider through the user agent. SAML is the protocol specification to use when two servers need to share authentication information. It promotes interoperability between disparate authentication and authorization systems by defining an XML-based framework for communicating security and identity information between computing entities. Shibboleth is an example of a SAML application, an open source package for SSO across organizational boundaries.

WS-Federation extends WS-Trust to provide flexible federated identity architecture with a clean separation between trust mechanisms, security token formats, and the protocol for obtaining tokens. It defines extensions that build on WS-Security to provide a framework for requesting and issuing security tokens and to broker trust relationships. Apache WSS4J is an implementation of WS-Security. WSS4J uses Apache Axis and Apache XML-Security and is interoperable with JAX-RPC and .NET server/clients. It generates SOAP bindings for XML Security, XML Signature, XML Encryption, Username Tokens, and supports X.509 binary certificates and certificate paths.


Cloud computing exacts a performance penalty in contrast to bare metal provisioning. Much depends on how enterprises parallel and partition their data and thusly their resourcing needs. Clouds can provide resources to accommodate a follow-the-sun strategy with availability zones. Cloud utilization can only make sense if there are service level agreements and reliability strategies. Cloud providers often have the skills to provide appliances that can generate best path network traffic algorithms. A load balancing service can reconcile loads between multiple instances in the same geographic zone.

Additional security promotes network latency- slowness- and jitter- variability. We can reduce latency by keeping static data close to the user while partitioning fact tables by region. SOA-C should use coarsely granular interface calls. The sewing machine pattern of requests and responses may be required by the business logic. But, where possible, we should use asynchronous messaging to reduce latency.


Closely related to performance is availability. Enterprises are loath to entrust financial transactions and system driven business operations if HTTP 404 errors or malware could bring their business to its knees. The potential for disruption exists, as it does in any integrated systems such the electrical grid and the airline transportation system. We must consider stateless and stateful failovers in the case of the loss of internet protocol (IP) connectivity along with disaster recovery generally. Federated clouds are a high availability solution in which a heartbeat between servers in clouds can accommodate immediate failover. For mission critical, customer-facing applications, such as bookings and financial exchange, we should expect six sigma - an uptime of 99.999 percent. Using SOA principles, we should decouple components so that a failure of one system is quarantined from other systems. For example, we can buffer messages in queues and then reprocess them upon recovery. Mean Time between Failures (MTBF) and Mean Time to Repair (MTBR) are metrics to evaluate vendors during bake offs.

For He That Gets Hurt...

In 1995, Bill Gates wrote that "the big insight for the next ten years is this: What if digital communication was free? The answer is that the way we learn, buy, socialize, do business, and entertain ourselves will be very different". And, as we scan the horizon, it's clear that we're rapidly closing in on that future:

Characteristics Bedrock Orbit City
Storage Availability Terabytes or Less Petrabytes
Geography Regional Global
Middleware Point to Point SOA + Cloud
Architecture Two or Three Tier N Tier
Analytics Scheduled Real Time
Mobile Agents Limited Unlimited
Clients Per Application Hundreds Unlimited
Servers Per Application Dozens Unlimited
Multimedia Content Low Unlimited

Table 1

The fact is that we now have answers for all of these technical challenges as daunting as they might seem. The gathering storm over Bedrock is the risk from the opportunity costs that come from forgoing SOA-C. Doubt about clouds has its roots less in the lack of adequate technical answers as it does from a fear of organizational change and a vacuum of leadership. Purpose, passion, and perseverance overcome all things, and defeat comes not as much from the outside as from within, from smugness, from complacency, and from the illusion that the present is the future. The choice to grab Bedrock's loose change or Orbit City's gold bricks shouldn't be a hard one. The great prizes go to those who can overcome that paralysis of will to unlock the treasure houses of wealth within their own company. Don't stand in the doorway.

Don't block up the hall
For he that gets hurt
Will be he who has stalled
For the times they are a-changin'

Cloud Contracts: Trust and Consideration

Providers may fall into bankruptcy. A computer virus is unleashed every five minutes. Enterprise clouds are threatened from within and from without. Corporations have a fiduciary obligation to protect data. Violation of Health Insurance Portability and Accountability Act (HIPAA), Environmental Protection Agency regulations, export control rules, SOX compliance, and other laws can result in anything from fines to delisting from the stock market. Governance, Risk, and Compliance (GRC) needs to be a part of cloud management to ensure service levels and accountability, with compartmentalized data, clearly defined roles, and iron contracts.

The best shelter against thunder clouds has less to do with Silicon Valley than with Harvard Law's Langdell Hall. In the 1973 movie, "The Paper Chase", the tough-minded Professor Charles W. Kingsfield Jr say this to his One-Ls: "Through this method of questioning-answering, questioning-answering, we seek to develop in you the ability to analyze that vast complex of facts that constitute the relationships of members within a given society. Questioning and answering. At times, you may feel that you have found the correct answer. I assure you that this is a total delusion on your part. You will never find the correct, absolute, and final answer. In my classroom, there is always another question, another question to follow your answer." A contract that accommodates the concerns of both the provider and the consumer will come from this litigation, as long as this dialectic doesn't regress into indecision. Cloud law is mutating and it might have more in common with maritime law as it tries to formulate legal principles that span boundaries. The cloud provider headquarters may be in Brussels, the servers may be in the Ukraine, the intrusion may come from Malaysia, while the consumer is in London. Cloud contract templates and checklists, as helpful as they might seem, barely scratch the surface when it comes to anticipating the subtle, situation-specific threats that clouds could pose. In this realm of uncertainty, the most certain and proactive way to mitigate thunder cloud risks is to shift the architecture of clouds from technology to contract law. A secure cloud comes down to ensuring that the clouds are human centered rather than system centered, and that there is accountability to one person who is the agent of the provider and one person who is the agent of the consumer.

A contract is a triangle of the foundational principles of offer, acceptance, and consideration on a ground of intentionality and legitimacy, all of which are necessary to form a valid contract.

Figure 1 – The Contractual Triangle

The party of a contract could be stake holders from within the company or third party hosts of clouds. The essence of the contract in all these cases is the same. Intentionality is formed by mutual agreement that comes from the need to acquire and the need to be safe. Trust is earned from consideration. A trust relationship implies penalties if that relationship is violated, perhaps even with an unlimited liability clause, and also incentives to perform. A contract derives its legitimacy from the legal system in which it is formed, observed, and enforced. Providers operate in the context of their legal system. We can get a sense of their fidelity to their adherence to contract law by observing the extent to which its national institutions protect trademarks, patents, and copyrights, and arbitration and are free from judicial corruption and political influence.

For public clouds, we must consider the financial health of the provider and the political and economic stability of provider nations with strategic risk assessments. We should consider the implications if the provider goes out of business or if the server farm is closed for any reason. A key consideration must be the plan for migrating from one cloud to another cloud, such as from a public cloud to a private cloud, and recovering all intellectual collateral.

Cloud contracts often emphasize supplier rights and consumer obligations. We should strike a balance that additionally emphasizes consumer rights and provider obligations. The contract should cover definitions, specifications, entrance and exit procedures, warranties, waivers, and penalties, maintenance, training, and adherence to standards. An offer is an acceptance of willingness to contract made with the intention that it shall become binding on the offer as soon as it is accepted by the offeree. Acceptance is the final and unqualified agreement of the terms of an offer, in which the acceptance must meet exactly meet the terms of the offer. Consideration is the exchange of something of value, in this case, the exchange of money for cloud services. It's an alias for mutual performance. The consumer should understand the quality of service implications of consideration and decide whether or not the provider can meet those expectations.

Contract negotiations also rest on basic principles that transcend national or corporate cultures. These including separating the personalities from the problem, ignoring declared positions except as evidence of underlying interest, postponing decision making while generating options, agreeing on a standard of engagement and success, using words, personality, and patience to draw concessions, and avoiding ultimatums but also preparing to walk away from the deal. Good negotiations, whether they are within the enterprise or external to the enterprise, meet the legitimate interests of each side to the greatest extent possible, enhance trust between parties, resolve conflicting interests fairly, and are durable. Managers and lawyers like to say "no" as doing nothing appears less risky than doing something. But those who run their fiefs are often blind to their own true interests and the interests of the enterprise. Thus, we need leadership from the top to go to "yes".

With executive consent, the path forward should become clearer. What we need firstly are Sherpas that can spot the Yetis as we trek into the clouds. Consultants or vendors can fill this role although in time this expertise will come from in-house. Open source organizations are the best place to turn for guidance in trying to build an industry-specific cloud [REF-4]. An interdepartmental task force consisting of stake holders and system analysts will blaze the trail. The overall strategy should be to centralize, standardize, and virtualize on a SOA frame using proven technologies for high availability production services. We should use single vendor infrastructure stacks or open source solutions and design services for wireless and mobile computing devices whenever possible. Tools and interfaces should be standard across the enterprise and should support multiple geographies, time zones, languages, and multi-tenancy. Finally, the principle of the power of one should be applied to cloud data: one data steward and one point of truth for each major data item, one way to protect data, and one data reporting solution.

Conclusion: Blue Skies

Figure 2 – Summer Clouds, Australia
Wikimedia Commons

Blue skies
Smiling at me
Nothing but blue skies
Do I see
Irving Berlin, 1926

The future of computing clouds is indeed blue skies. The flight from Bedrock to Orbit City is within the reach of all companies. The only dark lining for providers is increasing competition and a shake-out of second-tier vendors. The only dark lining for consumers are the threat that clouds pose to our privacy as governments and business roll vast business intelligence correlation and inferring engines into the clouds. For enterprises that are both providers and consumers, resources are available to meet all technical challenges. Clouds will become increasingly available with a downward pressure on rates because of improving technology and increasing competition. Providers will offer multinational services and the long term trend is toward vendor consolidation. A good return on investment and a low total cost of ownership will be most evident in public clouds. Governments and businesses are forming morganatic partnerships to improve the reach of clouds by integrating semantic and federated SOA-C. Open source research is playing a significant role in enhancing e-commerce clouds. And free market innovations will continue to deliver cost reductions, increased flexibility, elastic scalability, and new tools to help build and manage clouds.


[REF-1] Philip Wik "Machiavelli's SOA: Toward a Theory of SOA Security", December, 2010 Service Technology Magazine

[REF-2] Web service and Java specifications include the following:

WS-* Security Standards
WS-Policy WS-Policy describes the capabilities and constraints of a system. It enables us to specify policy information that can be used to access Web service applications.
WS-PolicyAttachment WS-PolicyAttachment defines how WS-Policy policies are attached to Web services. Policies can be bound to WSDLs or the Universal Description, Discovery, and Integration (UDDI) registry.
WS-SecurityPolicy WS-SecurityPolicy defines a set of security policy assertions used in the context of the WS-Policy framework.
WS-Addressing WS-Addressing provides the mechanisms to address messages in a transport-independent fashion. It provides an XML framework for identifying Web service endpoints and for securing end-to-end identification I n the message.
WS-ReliableMessaging WS-ReliableMessaging defines a framework for identifying and managing the reliable delivery of messages between Web services endpoints.
WS-Trust WS-Trust defines a framework for trust models that enables Web services to interoperate securely. It addresses situations where trust must be brokered between parties that don’t use the same security tokens.
WS-SecureConversation WS-SecureConversation defines a way of establishing and sharing security contexts for Web services conversation.
WS-Security WS-Security provides message-level security.

Java Platform Enterprise Edition
JAAS The Java Authentication and Authorization Service is the Java security framework for user-centric security to augment Java code-based security.
JAX-RS The Java API for RESTful Web services.
JAX-WS The Java API for XML Web services is the centerpiece of a newly rearchitected API stack for Web services that includes JAX-WS, JAXB, and SAAJ.
JAXB Java Architecture for XML Binding provides binding of an XML schema to a representation in Java code.
JAX-RPC We use the Java API for XML-based RPC to build Web services, incorporating XML-based remote procedure call (RPC) functionality according to the SOAP specification.
SAAJ/ JAXM The SOAP with Attachments API for Java (also known as the Java APIs for XML messaging) provides a standard way to send XML documents over the Internet from the Java platform. Simple API for XML (SAX) defines the API that wraps an XML: reader implementation class.
JMS The Java Message Service API is a messaging standard that allows application components based on J2EE to create, send, receive, and read messages. It enables distributed communication that is loosely coupled, reliable, and asynchronous.
JAAC The Java Authorization Contract for Containers allows third-party service providers to plug into application servers using standard interfaces for policy configuration and access decisions.

[REF-3] Bob Dylan, "The Times They Are A-Changin'", 1964.

[REF-4] Organizations that can provide cloud guidance include the following:

Organization Description Link
Globus Alliance The Globus Alliance is an international collaboration that conducts research and development to create fundamental Grid technologies.
Nimbus Nimbus is an open-source toolkit focused on providing Infrastructure-as-a-Service (IaaS) capabilities to the scientific community.
OpenNebula OpenNebula is the Industry standard for on-premise IaaS cloud computing, offering a comprehensive solution for managing virtualized data centers to enable private, public and hybrid clouds.
SABSA The Sherwood Applied Business Security Architecture framework has evolved as a best practice method for delivering cohesive information security solutions to enterprises.
ITIL The Information Technology Infrastructure Library is the most widely adopted approach for IT Service Management in the world. It provides a practical, no-nonsense framework for identifying, planning, delivering and supporting IT services to the business.
TOGAF The Open Group Architecture Framework is a framework for enterprise architecture that enables the achievement of business objectives through IT standards.
The Cloud Security Alliance The Cloud Security Alliance promotes the use of best practices for providing security assurance within Cloud Computing, and provides education on the uses of Cloud Computing to help secure all other forms of computing.
Jericho The Jericho Forum is the leading international IT security thought-leadership association dedicated to advancing secure business in a global open-network environment.


I wish to thank the following individuals who reviewed and critiqued my paper: Steve Wisner, Director, IT, Genworth Financial and Errol Ryland, Director, MSS Technologies, Inc.