Technical Field
This disclosure relates generally to deploying applications in a “cloud” compute environment.
Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. An example application might be one that provides a common set of messaging functions, such as email, calendaring, contact management, and instant messaging. A user would then access the service directly over the Internet. Using this service, an enterprise would place its email, calendar and/or collaboration infrastructure in the cloud, and an end user would use an appropriate client to access his or her email, or perform a calendar operation.
Cloud compute resources are typically housed in large server farms that run one or more network applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines.
It is known in the art to provide appliance-based or platform-based solutions to facilitate rapid adoption and deployment of cloud-based offerings. Typically, a cloud-based offering is deployed as a cloud application package. One such appliance that may be used for this purpose is IBM® Workload Deployer, which is based on the IBM DataPower® 7199/9005 product family. Typically, the appliance is positioned directly between the business workloads that many organizations use and the underlying cloud infrastructure and platform components. Alternatively, cloud application packages may be deployed using platform-as-a-service (PAS) infrastructure, such as the IBM® SmartCloud® Orchestrator open cloud management platform. A management platform of this type typically comprises several layers including an infrastructure services layer for provisioning, configuring and managing storage, compute and network resources, a platform services layer, and an orchestration services layer to provide business process management. The platform services layer includes virtual machine image lifecycle management capabilities and related services. The platform services layer includes virtual machine image lifecycle management capabilities and pattern services, wherein a “pattern” provides deployment and management instructions for the business service. A pattern preferably is an XML-based definition of an infrastructure configuration required to provision and managed the various resources (e.g., compute, networking, storage, OS, middleware, and the like) for a specific application (or application-type) workload.
As security software deployments become increasingly complex, application developers are further removed from the inner workings of the security environment. As a consequence, security operations often are left to the security experts. The move to virtualization and private clouds, however, empowers application developers with more and more operational capability. Application developers then find themselves in a difficult position. In particular, when putting an application into production, the developer may not have the necessary background and context to evaluate properly the security impact and needs of his or her application. Today, application developers often work with security experts to design a strategy for secure application deployment. The security expert, however, may encounter the same problem, but from the other direction. As applications and middleware become increasingly complex and virtualized, the security expert may not fully understand the application to properly evaluate its security impact and needs.
Software applications often have complex and demanding security requirements, especially as tailored security environments are built around cloud applications. These applications may have quality-of-service type security requirements, e.g., a banking application that is required legally to use transport layer security for all communications, or relationship requirements, e.g., the banking application cannot be hosted in a same security environment with a credit card processing application, and so forth.
It is also known to provide for automated deployment and management of cloud applications. Although these approaches provide significant advantages, they do not provide the capability for an application to make a decision over its security environment, e.g., to evaluate whether the environment is sufficient for application function. The lack of application-based enforcement opens up the possibility for intentional or accidental misconfiguration of the security environment, thereby exposing the application to security risks.