Inside the Briefcase

IT Briefcase Exclusive Interview: Cloud Sandboxes and Their Many Benefits

IT Briefcase Exclusive Interview: Cloud Sandboxes and Their Many Benefits

with Shashi Kiran, Quali
IT Briefcase conducted the following...

The Automotive Industry Goes Driving in the Cloud

The Automotive Industry Goes Driving in the Cloud

Just when you think that you have seen it...

Preparing for the Adoption of Office 365

Preparing for the Adoption of Office 365

As you may know, Microsoft Office 365 is the...

How to Best Utilise Analytics in all its Forms

How to Best Utilise Analytics in all its Forms

Analytics is one of the most indispensable tools any...

2016 APM Reference Guide: Application Performance Monitoring

2016 APM Reference Guide: Application Performance Monitoring

IT Briefcase Analyst Report
This product guide allows you to...

Continuous Governance and Quality Control in a Next-Generation Enterprise Cloud Application Platform

July 11, 2012 No Comments

By Dimitrios Kourtesis, Konstantinos Bratanis, Iraklis Paraskakis

Researchers at South-East European Research Centre, International Faculty, The University of Sheffield

Being open to third-party extensions and customizations is becoming an increasingly desirable property for software-as-a-service (SaaS) platforms. It’s also a must-have for the emergence of an ecosystem around a SaaS platform. But what kind of impact does such openness have on a platform’s stability and reliability? This is one of the questions that the Information & Knowledge Management group at the South-East European Research Centre (SEERC) has been working to answer. SEERC is a multidisciplinary research center of the University of Sheffield established in Thessaloniki by the University’s International Faculty in Greece (

In collaboration with CAS Software AG—the leading CRM expert in Germany, our team at SEERC established the CAST research project, in which we focused on creating a cloud platform supporting the development and customization of SaaS enterprise applications by third parties ( To support the platform, we created methods and tools for the development, packaging and execution of enterprise applications on the CAST platform. In addition, we provided a suite of mechanisms for governing the platform and preventing threats to its integrity and performance, in the form of an integrated registry and repository system.

The CAST Registry & Repository, which we built on top of the open source WSO2 Governance Registry, lies at the center of the CAST cloud application platform, allowing us to maintain platform stability and reliability through effective governance. Following an overview of the architectural and software decisions we made to support the development of SaaS platforms that allow for full customization and extensibility of SaaS applications, without compromising reliability and manageability.

Balancing Openness and Flexibility with Consistency

The ultimate goal of the CAST project was to deliver a commercially viable platform-as-a-service (PaaS) that not only supports the development and deployment of on-demand (SaaS) business applications, but does so in a way that makes the creation of a value network and ecosystem around the platform a logical next step. The rationale is that developers will be able to create their own business applications, combine these with existing applications being offered by the platform provider or third parties, integrate them with external systems through Web services and offer the end result as a new SaaS solution.

However, we quickly recognized the need to balance the flexibility to extend and customize cloud applications with a system for ensuring a consistent level of stability, performance and reliability. It was also important for us to ensure that managing the development and deployment process required minimal effort on the part of the platform provider.

page21 300x127 Continuous Governance and Quality Control in a Next Generation Enterprise Cloud Application Platform

click to enlarge

Because third parties are out of the platform provider’s control, we needed to create and implement a mechanism that would make sure that external applications would comply with all of the platform provider’s policies and run smoothly, without stalling the platform. We also needed to prevent problematic solutions, applications and services from being deployed to the platform’s runtime infrastructure. What’s more, the mechanism had to ensure visibility over all assets in the platform and their interdependencies, keep track of the behavior of external services on which applications depend, and control the evolution of different software components. It was a challenging set of requirements.

A Model for Cloud Application Platform Governance

Our research team determined that the CAST Registry & Repository system would serve as a central location in which the entities and artifacts necessary to the operation of the CAST platform would be stored, organized, and managed throughout their lifecycle. It would also provide a space and a set of functions for enabling the effective governance of entities and artifacts from creation to retirement.

We then decided that governance would be supported by providing users, such as platform administrators and solution developers, with specialized tools designed to help in performing standard quality assurance tasks, as well as tools that allowed for the automation of various quality controls by applying conformance checking and data validation in accordance with the platform governance rules.

After extended research and debate, we determined that some of the key functions the CAST Registry & Repository would be designed to support were:

  • Central cataloging of solutions, applications, and external services, and storage of their associated artifacts in a platform-wide accessible location.
  • Versioning of managed entities and artifacts to reflect significant changes and to designate new states in development.
  • Controlling the evolution of managed entities and artifacts, by modeling lifecycle states and associating validation checks with state transitions.
  • Tracking dependencies among solutions, applications and services, and allowing for impact analysis.
  • Performing conformance checking to ensure that managed entities and artifacts comply with the platform provider’s policies.
  • Monitoring of the external Web services on which applications are dependent to ensure appropriate levels of availability and performance, considering service-level agreements (SLAs).
page17 300x168 Continuous Governance and Quality Control in a Next Generation Enterprise Cloud Application Platform

click to enlarge

Selecting the Open Source Software to Build on

To evaluate products on which the CAST Registry & Repository would be built, we had two primary criteria. First, we determined that there were many best practices to be adopted from existing solutions for SOA governance. Second, we wanted to continue with the CAST research project’s theme of using open source software wherever possible.

Based on these considerations, we narrowed the search to two candidates: the WSO2 Governance Registry and Mule Galaxy. After extensive product testing, we determined that the WSO2 Governance Registry was the more mature and stable product and possessed some of the core functionality required for the CAST project, including repository, dependency tracking, lifecycle management, and handlers for triggering our validators.

Another notable benefit of the WSO2 Governance Registry was its extensible, OSGi-based architecture, which would facilitate our own development, as well as facilitate customization. We also appreciated the product’s user interface; programmatic API with SOAP for remote registry operations; and an architecture that was comprehensive, understandable and clean. All considered, WSO2 Governance Registry provided the strongest basis for our cloud application platform.

Putting the Model into Practice

Today, the WSO2 Governance Registry delivers core functionality within the CAST Registry & Repository, including cataloging and storage, policy conformance checking and lifecycle management.

page15 300x162 Continuous Governance and Quality Control in a Next Generation Enterprise Cloud Application Platform

click to enlarge

The initial implementation was completed in six months. During this time, our researchers and developers were able to customize the software and add a number of extensions. These have included a new widget for displaying validation errors indicating policy violations, several policy-checking components which validate different kinds of artifacts and platform metadata against policies, a widget for displaying dependencies among solutions, applications and external services, new dashboard gadgets, new lifecycle managers, new media type handlers and filters to determine when a new software component has been added, and changes to the user interface (UI).

Because our key objective was to help the platform provider in managing the platform and mitigating the risks associated with its complexity, we also created extensions to provide insight into the shared components and services, including a dependency tracking and impact analysis gadget that provides a visual display of the chain of services. If users want to change a service, they can select that service and quickly see how many applications and solutions are affected by the change.

page19 300x128 Continuous Governance and Quality Control in a Next Generation Enterprise Cloud Application Platform

click to enlarge

Another extension is a monitoring engine that polls external services to check if they are alive, responsive and reliable. It is one of the many instances where we have taken advantage of the WSO2 Governance Registry’s support for the OSGi specification. The same OSGI container for the WSO2 Governance Registry also runs the CAST SLA monitoring engine, as well as our custom notification mechanism and logic for role-based access management. In fact, the component-based OSGi design of the WSO2 Governance Registry has made overall development easier.

Because WSO2 is 100% open source and supports open development, our researchers were able to rely on the open source community, online documentation and mailing lists to address any questions that arose during implementation.

Looking Ahead

Looking ahead, the results of the CAST project, which was co-funded by the EUREKA Eurostars program for applied research and innovation, will be fed into the development and commercial launch of a next-generation PaaS offering by CAS Software AG, the project’s coordinator, within the next couple of years.

We are truly excited to witness the impact of the CAST platform as it works to simplify the concerns of enterprises looking to provide on-demand software applications that address special business needs. In the meantime, our research group continues to work on the development of new methods and tools for improved governance and quality control in cloud service delivery platforms. The next major research topic on our agenda is continuous quality assurance and optimization in the context of cloud service brokerage. In the coming three years, we will be researching this topic in collaboration with other research institutes, universities and enterprises from around Europe.

The goal of our new project, code-named “Broker@Cloud”, is to develop a framework that will equip future cloud service intermediaries with advanced methods and mechanisms for continuous quality assurance and optimization of software-based cloud services. The framework is intended to allow enterprise cloud service brokers to monitor the obligations of providers towards consumers, as well as to detect opportunities for optimizing cloud service consumption. In developing this new framework we look forward to leveraging even more high-quality open source software components by WSO2 and others, as well as to contribute back to the open source projects we build on as much as possible.

# # #

Dimitrios Kourtesis is a Research Associate at the South-East European Research Centre (SEERC) of the University of Sheffield, in Thessaloniki, Greece. He holds a BSc(Hons) in Computer Science and an MSc(Distinction) in Software Engineering and Telecommunications from the University of Sheffield, and is currently studying for a PhD in Computer Science. He is a registered Chartered Engineer, a European Engineer, and member of BCS, IEEE and ACM. He has been involved in several international collaborative research projects in Services, Cloud Computing, Software Engineering and Semantic Web technologies, and has published and served as reviewer in related conferences and journals.

Konstantinos Bratanis holds a BSc(Hons) in Computer Science from the University of Sheffield and is currently studying for a PhD in Computer Science. Before joining SEERC as a Research Associate in 2010, he has been working in the software industry for several years. His research interests are in the area of Software Engineering, Service-Oriented Computing and Cloud Computing, and has been involved in a number of related research projects. His PhD research concerns the run-time monitoring and adaptation of service-based and cloud-based applications. Konstantinos is a member of the Greek Computer Society, IEEE and ACM.

Dr Iraklis Paraskakis is a Senior Research Officer at the South-East European Research Centre, and coordinator of the Information & Knowledge Management research group. He is also Senior Lecturer in Computer Science at the University of Sheffield International Faculty, City College. He holds a PhD in Information Technology and Education from the Open University (UK), and an MSc in Analysis, Design and Management of Information Systems from London School of Economics. His research interests are in educational informatics, information systems, and knowledge management. He has a number of publications in related conferences and journals, and has participated in several successfully completed and on-going projects in these areas.

CLOUD COMPUTING, DATA and ANALYTICS , Featured Articles, Fresh Ink, Top Stories

Leave a Reply





American Customer Festival 2016 New York

ITBriefcase Comparison Report

Cyber Security Exchange