Monthly Archives: June 2011

“He who does not understand history…

By Stuart Boardman, Getronics

….is doomed to repeat it.” (Misquote from Burke – so sue me.)

What exactly is our industry’s problem with history? Why are we so good at dredging it up and so bad at learning from it? Every new development that comes along is treated by some people as a silver bullet that will magically solve all the problems we had before, whilst there are always others keen to assure us there’s nothing new and we were doing it all years ago, so what’s all the fuss about? Neither of these factions seems the least interested in the question of what we were doing wrong before or why, if we already knew how to do it, we so often didn’t get it right.

Right now the big hype and centre of discussion is Cloud but let’s take a look at some history – seen through the filter of my own experience.

My first exposure to a “paradigm shift” was Object Orientation. OO was going to supply us the means to prevent us from making all the errors we made in the past. (One could go back to Structured Programming for the same lessons but that’s before my time). With encapsulation, information hiding, polymorphism and all that great stuff, it would no longer be possible to produce highly coupled application modules with little cohesion. Uh huh. A couple of smart guys called Sharble and Cohen back in 1993 wrote a study called The Object Oriented Brewery (never mind why) in which they demonstrated exactly how easy it was to produce highly coupled, low cohesion code in an OO language. And why was it so easy? Because avoiding these errors requires understanding how they happen – not just technically but the kind of circumstances and thinking that produce them – and there are lots of different ways of getting it wrong! If this is news to you, you could do worse than check this Wikipedia page.

So then the next big thing was SOA. Here again we had the silver bullet merchants (mostly selling ESBs and the like) on the one hand and on the other the “this is just EAI on steroids” bunch, who could all tell you how they’d been doing this for 10 years already. Which of course begs the question: “so why is it such a mess?” It’s not as if we didn’t have good methodologies. I have seen EAI methodologies that really were pretty much SOA. But still it went wrong. We just took those N2-1 interfaces that EAI was supposed to eliminate and stuffed them inside a black box. So clearly the high priests of SOA needed to be asking themselves why this happened. At least they did, if they didn’t want it to happen again. And hey, look – most of them didn’t ask and we did indeed finish up with the same old mess (except now we call it JBOWS). The folks who should have known better (the old hacks) just let it happen. There’ll be a reason for that too.

So what about Cloud? It’s easy to argue that it’s nothing new. I’ve even seen someone argue it all started in 1960! We certainly used to have “time sharing” services, which offered a limited form of what we would now call PaaS over a dial-up connection. More than 20 years ago I was working on an IBM VM system, which one could reasonably describe as fully PaaS (including a usage based charging capability). I also recall an (unsuccessful) IBM initiative to deliver software over the internet direct to user PCs – somewhat along the lines of what app stores do now. And then of course we’ve had outsourcing and managed services in shared data centres, which has also rendered mixed results.

Don’t get me wrong, I don’t want to argue that Cloud is just old wine in new bottles. It represents an aggregation of a variety of capabilities, which at its best has a coherence one couldn’t claim was available in earlier manifestations. It’s to a considerable extent platform independent. (I didn’t say interoperable, OK?)

But there’s nothing inherent to Cloud that will stop us making the same old mistakes. Speaking for myself I have no expectation on Cloud providers to do it for us. I’m happy if they just don’t make it harder for us to do it right. It’s down to us (IT folks and Enterprise Architects) to learn from history, to use methodologies intelligently, find ways to minimize the risk and get business buy-in. The Cloud business model is a good stimulus for that buy-in. Separation of interface and implementation may sound like techno-babble but it’s exactly what both providers and consumers need, if they’re to get business value from the Cloud.

The Open Group has an important role to play here. Sitting at the junction of business and IT, we’re ideally placed to address these problems in a way that is meaningful to the business and technically effective. We cover most applicable areas with the work of the Jericho and Security Forums and of the SOA and Cloud Computing Work Groups. We have TOGAF® and we have our own collective experience. And we’re seeing more and more joint efforts across Forums and Work Groups. If we use all that to make an honest assessment of what went right and wrong in the past (and why), we will do something really useful for all parties in the Cloud.

Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity.

1 Comment

Filed under Cloud, Enterprise Architecture

June 2011 is a big month for Cloud Computing announcements

By Mark Skilton, Capgemini

I  woke up this morning to CNN reporting on “Cloud Computing” and running a  series of news bulletins this week on the subject. I think this was triggered by the Apple announcement of iCloud  at the San Francisco World Wide Developers Conference (WWDC11).

But this was just one of a number of high-profile commercial announcements in the industry that is seeing a convergence and shift to Cloud as a business model. This week, Google announced Chromebook with partners Samsung and Acer, providing a fully integrated, Web-only, laptop-style implementation of their ChromeOS.

I noted the CNN reporter asked the question, “What is Cloud Computing?” The irony of the moment was that the interviewee was speaking from a video link using Skype: Skype being an example of Cloud usage in our everyday lives. The reporter followed up with the next most talked-about problem of security and connectivity when all your data and services are not on your laptop or mobile cell phone. Yes, there are still issues with performance bandwidth and WiFi coverage, and security will continue to be a challenge. But as demonstrated by the virtual business models of Apple and Google, these challenges are not prohibitory.

In fact, the bigger questions now being posed are how crowded the Cloud is getting, and that cyber turf wars may be underway to grab sizable parts of the Cloud-based business through establishing Cloud platforms like iCloud and Chromebook. I turned to my iPad to read the daily news and found an article which raised this very point, titled, “Online computing: The crowded cloud” (dated June 3, 2011).  I recommend reading it.

Mark Skilton, Director, Capgemini, is the Co-Chair of The Open Group Cloud Computing Work Group. He has been involved in advising clients and developing of strategic portfolio services in Cloud Computing and business transformation. His recent contributions include the publication of Return on Investment models on Cloud Computing widely syndicated that achieved 50,000 hits on and in the British Computer Society 2010 Annual Review. His current activities include development of a new Cloud Computing Model standards and best practices on the subject of Cloud Computing impact on Outsourcing and Off-shoring models and contributed to the second edition of the Handbook of Global Outsourcing and Off-shoring published through his involvement with Warwick Business School UK Specialist Masters Degree Program in Information Systems Management.


Filed under Cloud

New Open Group Guide Shows Enterprise Architects How to Maximize SOA Business Value with TOGAF®

By Awel Dico, Bank of Montreal

Service Oriented Architecture (SOA) has promised many benefits for both IT and business. As a result, it has been widely adopted as an architectural style among both private business and government enterprises. Despite SOA’s popularity, however, relatively few of these enterprises are able to measure and demonstrate the value of SOA to their organization. What is the problem and why is it so hard to demonstrate that SOA can deliver the much needed business value it promises? In this post I will point out some root causes for this problem and highlight how The Open Group’s new guide, titled “Using TOGAF® to Define and Govern Service-Oriented Architectures,” can help organizations maximize their return on investment with SOA.

The main problem is rooted in the way SOA adoption is approached. In most cases, organizations approach SOA by limiting the scope to individual solution implementation projects – using it purely as a tool to group software functions into services described by some standard interface. As a result, each SOA implementation is disconnected and void of the larger business problem context. This creates disconnected, technology-focused SOA silos that are difficult to manage and govern. Reuse of services across business lines, arguably one of the main advantages of SOA, in turn becomes very limited if not impossible without increased cost of integration.

SOA calls for standard-based service infrastructure that requires big investment. I have seen many IT organizations struggle to establish a common SOA infrastructure, but fail to do so. The main reason for this failure is again the way SOA is approached in those organizations; limiting SOA’s scope to solution projects makes it hard for individual projects to justify the investment in service infrastructure. As a result they fall back to their tactical implementation which cannot be reused by other projects down the road.

The other culprit is that many organizations think SOA can be applied to all situations – failing to realize that there are cases when SOA is not a good approach at all. An SOA approach is not cheap, and trying to fit it to all situations results in an increased cost without any ROI.

Fortunately there’s a solution to this problem. The Open Group SOA Work Group recently developed a short guide on how to use TOGAF® to define and govern SOA. The guide’s main goal is to enable enterprises to deliver the expected business value from their SOA initiatives. What’s great about TOGAF® in helping organizations approach SOA is the fact that it’s an architecture-style, agnostic and flexible framework that can be customized to various enterprise needs, architectural scopes and styles. In a nutshell, the guide recommends the incorporation of SOA style in the EA framework through customization and enhancement of TOGAF® 9.

How does this solve the problem I pointed out above? Well, here’s how:

SOA, as an architectural style, becomes recognized as part of the organization’s overall Enterprise Architecture instead of leaving it linked to only individual projects. The guide advises the identification of SOA principles and establishment of supporting architectural capabilities at the preliminary phase of TOGAF®. It also recommends establishment of SOA governance and creating linkage to both IT and EA governance in the enterprise. These architecture capabilities lift the heavy weight from the solution projects and ensure that any SOA initiative delivers business value to the enterprise. This means SOA projects in the enterprise share a larger enterprise context and each project adds value to the whole enterprise business in an incremental, reusable fashion.

When TOGAF® is applied at the strategic level, then SOA concepts can be incorporated into the strategy by indentifying the business areas or segments in the enterprise that benefit from a SOA approach. Likewise, the strategy could point out the areas in which SOA is not adding any value to the business. This allows users to identify the expected key metrics from the start and focus their SOA investment on high value projects. This also makes sure that each smaller SOA project is initiated in the context of larger business objectives and as such, can add measurable business value.

In summary, this short and concise guide links all the moving parts (such as SOA principles, SOA governance, Reference Architectures, SOA maturity, SOA Meta-model, etc.) and I think it is a must-read for any enterprise architect using TOGAF® as their organization’s EA framework and SOA as an architectural style. If you are wondering how these architectural elements fit together, I recommend you look at the guide and customize or extend its key concepts to your own situation. If you read it carefully, you will understand why SOA projects must have larger enterprise business context and how this can be done by customizing TOGAF® to define and govern your own SOA initiatives.

To download the guide for free, please visit The Open Group’s online bookstore.

Awel Dico, Ph. D., is Enterprise Architect for the Bank of Montreal. He is currently working on enterprise integration architecture and establishing best practice styles and patterns for bank wide services integration.  In the past he has consulted on various projects and worked with many teams across the organization and worked on many architecture initiatives, some of which include: leading mid-tier service infrastructure architecture; developing enterprise SOA principles, guidelines and standards; Developing SOA Service Compliance process; developing and applying architectural patterns; researching technology and industry trends, and contributing to the development of bank’s Enterprise Reference Architecture blueprint. In addition, Dr. Dico currently co-chairs The Open Group SOA Work Group and The Open Group SOA/TOGAF Practical Guide Project. He also co-supervises PhD candidates at Addis Ababa University, Computer Science – in Software Engineering track. Dr. Dico is also a founder of Community College helping students in rural areas of Ethiopia.


Filed under Service Oriented Architecture

Understanding security aspects of Cloud initiatives

By Stuart Boardman, Getronics; and Omkhar Arasaratnam, IBM

The Open Group recently published a whitepaper, An Architectural View Of Security For Cloud, which is the first in a series being produced by the Security For The Cloud and SOA project. In this whitepaper we introduce a method that helps organizations to model and therefore understand the security aspects of their Cloud initiatives.

Security is still often cited as the biggest concern about the Cloud. This topic was even raised during the recent survey by The Open Group on Cloud Computing. But does the concern reflect a genuine level of risk? If so, in what way and under what circumstances? It would be irresponsible not to take this seriously, but right now we’re suffering from a “here be dragons” mentality. Despite all the good work done by The Open Group, the Cloud Security Alliance (CSA) and others, we still see far too much discussion of this kind: “The biggest single security threat in the Cloud is…” This helps no one, because these are generalizations and every organization’s situation is specific (This is borne out by other surveys, by the way). The result is FUD (fear, uncertainty and doubt) and therefore stagnation. And as people lose patience with that, the reaction is sometimes the taking of inappropriate risks.

One of the challenges in understanding Cloud-based architectures is that each party, whether it is primarily a consumer or primarily a provider, is part of an ecosystem of different entities, providing and consuming Cloud services. The view of the architecture for each player may be different but each of them must take the entire ecosystem into account and not just its own part. When you couple this with the fact that there are so many possible types of Cloud service and delivery, and so many different kinds of data one might expose in the Cloud, it’s clear that there is no one generic model for Cloud. You need to understand the particular situation you are in or can foresee being in. That can be quite complex.

The Open Group’s Security for the Cloud and SOA project is developing a security reference architecture, which will help architects and security specialists to develop their view and understanding of their situations. Using the architecture and the associated method and combining this with the advice coming from other groups such as CSA or The Open Group Jericho Forum®, you can create a comprehensible view of a complex situation, determine risks, test your solution options and set up controls to manage all this in a production situation.

The fundamentals of our approach are architectural building blocks, security principles and a scenario-driven modeling method. We have defined a set of principles but also take into account identity principles from the CSA – and in the future, will work to combine all these effectively with the recently published Jericho Foundation Identity Commandments. Policy-driven security is for us a basic principle and itself is how most other principles are supported. By using the method to model responsibility for the building blocks, you can understand how policy is managed across the ecosystem and make an informed analysis of risks, mitigations and opportunities.

In the whitepaper, we illustrate the approach for the area of identity, entitlement and access management policy. We use a scenario involving one consumer organization and three SaaS providers supporting travel booking. We look at three situations which might apply depending on the capabilities and flexibility of the various parties. Here’s an example of how responsibility for the building blocks is distributed in one of these situations and how open standards can help to support that.

This happens to be the situation which best supports the principles we highlight in the whitepaper. In other situations you can see exactly how principles are compromised. That helps an organization weigh up risks and benefits. Take a look at the whitepaper and let us know what you think. We’re happy with any input we receive. More whitepapers will follow soon extending the method to other areas of security. Later on we’ll start building realizations that will, we hope, help to promote the use of open standards and bring us closer to Boundaryless Information Flow™. We’re also running an “architectural decisions rodeo” at The Open Group Conference, Austin (July 18-22) during which we will discuss and document key architectural decisions regarding Cloud security.

Omkhar Arasaratnam is a Certified Senior Security Architect with IBM. He is a member of the IBM Security Architecture Board, the IBM Cloud Computing Security Architecture Board, and co-leads The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project. He is also actively involved in the International Standards Organization (ISO) JTC1/SC38 Study Group on Cloud Computing. Omkhar is also an accomplished author and technical editor of several IBM, John Wiley & Sons, and O’Reilly publications. He also has five pending patents in the field of information technology. Omkhar has worldwide responsibility for security architecture in some of IBM’s Cloud Computing services.

Stuart Boardman is a Senior Business Consultant with Getronics Consulting where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead with Omkhar Arasaratnam of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity.

1 Comment

Filed under Cloud/SOA

TOGAF® Certification Success: More than 7,000 individuals certified from over 50 countries

By Andrew Josey, The Open Group

Certification is a core competence of The Open Group and key to the successful rollout of our standards. TOGAF®, an Open Group standard, is the de facto global standard for Enterprise Architecture. The fast adoption of TOGAF 9 and demand for its certification program by architecture professionals and their employers is indicative of the value to be gained from trusted, globally accepted standards supported through certification.

As one of the team who developed TOGAF 9, I regularly track the statistics to monitor the take-up and adoption worldwide. Certifications within the TOGAF 9 program are currently growing at over one thousand individuals per quarter. As of June 3rd there were 7,200 individuals certified from more than 50 countries.

Of particular interest is to look at the countries adopting TOGAF. The top five includes the UK, The Netherlands, The USA, Australia and South Africa.

(Note 1: Data as of June 3rd 2011. Other countries outside the top 30 include (in order) Spain, Ireland, Austria, Malaysia, Kuwait, Jordan, Portugal, Russia, Costa Rica, Taiwan, Hungary, Oman, Nigeria, Botswana, Luxembourg, Indonesia, Sri Lanka, Egypt, Chile, Thailand, South Korea and Peru.)

There are 34 TOGAF 9 training partners worldwide and 37 accredited TOGAF 9 courses. More information on TOGAF 9 Certification, including the directory of Certified People and official accredited training course calendar, can be obtained from The Open Group website.

As part of the ongoing process of “Making Standards Work®”, we will be defining new certification standards and policy in the member meetings at The Open Group Conference, Austin, Texas (July 18-22, The Four Seasons Hotel). This will include the development of certification for the ArchiMate® standard and the addition of tools certification for TOGAF® Version 9.

If you are able to join us in Austin in July, I hope you will be able to also join us at the member meetings to work on building the next certification standards. If you are not yet a member then I hope you will attend the conference itself and network with the members to find out more and consider joining us at The Open Group.

Andrew Josey is Director of Standards within The Open Group, responsible for the Standards Process across the organization. Andrew leads the standards development activities within The Open Group Architecture Forum, including the development and maintenance of TOGAF® 9, and the TOGAF® 9 People certification program. He also chairs the Austin Group, the working group responsible for development and maintenance of the POSIX 1003.1 standard that forms the core volumes of the Single UNIX® Specification. He is the ISO project editor for ISO/IEC 9945 (POSIX). He is a member of the IEEE Computer Society’s Golden Core and is the IEEE P1003.1 chair and the IEEE PASC Functional chair of Interpretations. Andrew is based in the UK.


Filed under Enterprise Architecture, TOGAF®