One of the good signs in the present cloud computing movement is a very conscious effort to employ use cases and scenario-based planning while pursing cloud architecture. The effort is driven by a desire to use real
An example is the on-going work of The Open Group's Security for the Cloud and SOA project. This is a spinoff of The Open Group's existing SOA work. It seeks to create security architecture for the cloud that helps you figure out if and how your applications' unique security needs can be met in the new medium.
The importance of using real life situations to gauge risk was a key takeaway from a recent conversation with Stuart Boardman, who co-leads the Enterprise Architecture practice and the cloud computing solutions work at The Open Group, while also serving as Senior Business Consultant with Getronics Consulting in the Netherlands.
Underlying the work was a policy-driven approach to security. That might breakdown into policy definition, policy administration, policy enforcement, policy decisions and so on.
"We took the view that the most important thing we could do was focus on architecture issues," Boardman said. The upshot was that policy-based security principals and architectural building blocks were considered in terms of familiar, existing application integrations – in one case, a trip plan.
The example of the travel plan or itinerary is one of the classics of enterprise computing, going back to the original mainframe days. When making a trip reservation you may employ a travel service, flight booking system, a hotel reservation system and the like. As a software architect, the system you build could integrate all or some of these diverse systems. All the time you ponder the best course, you are taking into account implicit or explicit policy decisions and enforcements.
Boardman said the travel service, flight booker and hotel reservation system are likely to have analogies in the new cloud computing space, and these, in a Security for the Cloud and SOA project whitepaper, are depicted in turn as a ''travel cloud,'' ''flight cloud'' and "a night in the clouds.''
Software and enterprise architects are already familiar with the thinking that goes into building properly secure interfaces at these system integration ''crossroads.'' Moreover, suggested Boardman, experienced architects are able to judge the relative risk that such systems entail.
Industry hands know ''there is data and there is data.'' Put another way: You encounter special security obligations and more risk when dealing with social security numbers than when dealing with other types of data. By looking at security policy decisions and enforcements
As in the best service architectures, The Open Group work looks for a high-level of abstraction that allows for multiple diverse technology underpinnings. Boardman mentions SAML, CACML and OAuth among open standards for security that can be used flexibly with the The Open Group's cloud and SOA security initiative.
Boardman said the architecture and method can be used with standards and best practices such as those coming out of the Cloud Security Alliance (CSA) and other groups. He mentioned the potential applicability of identity services provisioning guideline work underway at The Open Group's Jericho Forum, which focuses on secure collaboration within cloud computing environments. The Jericho Forum's work recently took an interesting turn as the members published a set of "Commandments' meant to bring clarity to the architecture of identity services. [Ed.Note: See related ''The 13 Identity Commandments'' story.]
Clearly, work like that of The Open Group's Security for the Cloud and SOA project seeks to unpeel the layers of the onion known as "The Cloud Security'' issue. By studying how cloud providers address key policy decisions and enforcements, you can begin to unravel cloud architecture, to the point where you can rationally judge the risk and reward potential for your cloud based application integrations.
Related SOA and cloud security information
Understanding security aspects of cloud initiatives - The Open Group blog
This was first published in June 2011