The lack of guaranteed bandwidth and the questionable security characteristics of the public Internet will inhibit the migration of core enterprise applications into the cloud, Allan Leinwand argued in a recent post entitled “Do Enterprises Need a Toll Road to the the Cloud?” To alleviate such concerns, he proposed what he called CloudNAP — essentially a leased line service between the enterprise and various cloud providers.
Leased lines, however, can’t solve the fundamental issues involved in migrating those core enterprise applications. Designed to work in secure and predictable networks, such apps are the real barriers to cloud adoption — it’s simply not possible to reproduce their preferred operating environment across the cloud.
Perhaps the most attractive virtue of leased lines is assured bandwidth. Communications providers have SLAs down to a science; they offer a rigor we can only dream of getting from our cloud providers. The dedicated line makes perfect sense when you absolutely must have a pipe of particular size set down between fixed locations. It’s a natural solution when integrating a branch office or connecting to an outsourced data processing center.
The cloud, on the other hand, is much harder to pin down. Your applications may move between physical locations — and some of these sites could be pretty far away. Suddenly, the dominant issue is not about the size of your pipe, but how long it is. Consider that if you strung a continuous strand of fiber on an optimal path from New York to San Francisco, you are looking at a minimum of 38 milliseconds round trip for messages. Go to Mumbai and you triple this. Between two points in your local network? Probably less than a millisecond. The point being that this negligible level of latency is what your conventionally architected enterprise applications expect.
Security is another desirable feature of leased lines. Point-to-point confidentiality and integrity across the wire is largely a solved problem. Paired at either end with good physical security and local network isolation, and you have a pretty strong security story. Two data centers connected in this way can effectively reside in the same relative security domain.
The cloud offers new challenges and so demands a different approach. At one end of the line is the corporate enterprise; at the opposite end, a shared public system with questionable levels of isolation between customers. You can no longer rely on the physical demarcations that characterized traditional multitenant computing facilities. If one of your remote images becomes compromised, it offers a hacker a secure superhighway right back into a wide-open corporate network.
The problem here is traditional IT thinking, which views the cloud as an inexpensive annex to the existing corporate network. But no amount of overlay will make the public cloud an integral part of this network. Cloud computing offers great benefits, but it also changes the rules.
The real problem is your existing applications, which are designed under conventional internal network assumptions. They are chatty, too tightly bound and too finely grained. They make the naïve assumption of a relatively secure operating environment and depend on localized security and identity contexts. You cannot simply redistribute these to public clouds and then try to force the long-haul communication to change to accommodate their needs. Instead, the applications need to change.
Ask yourself why web applications have flourished in the cloud. It’s not because they matter less than internal enterprise apps; it’s because their architecture is aligned to the realities of a global Internet. They are loosely coupled, built on coarse-grained, service-oriented interactions. They are accommodating to delays and lost transmissions, and leverage stateful messages across stateless protocols. Their messages are verbose and largely text-based, so they accept parsing latencies yet they still scale massively and can accommodate widely varying loads. Security is applied application-to-application, not across a wire segment somewhere in the middle. Security context can be bound to identity and entitlements can be as granular as the business demands. Web apps drew the Internet vagaries around them like a cloak and marched confidently into the clouds.
These ideas aren’t new, but are the basis of Service-Oriented Architecture (SOA). We should apply the lessons learned in SOA to applications other than browsers and web sites — applications like the mission-critical systems that currently run in corporate data centers. These can certainly thrive in the cloud; however, to deploy successfully in this interesting new environment, their design must change.
Andrew Finall is Development Manager, Core Products at Layer 7 Technologies; K. Scott Morrison is the company’s of V-P Engineering and Chief Architect and Jay Thorne is Director of Development.