Software as a Service

© 2010 Ariba, Inc. All rights reserved. The contents of this document are confidential and proprietary information of Ariba, Inc.

Software as a ServiceChallenges and solutions

Sathya Narayana Panduranga

© 2010 Ariba, Inc. All rights reserved. The contents of this document are confidential and proprietary information of Ariba, Inc. 2

The hype…

Ariba puts cloud at center of five-year vision

Forrester's Advice to CFOs: Embrace Cloud Computing to Cut Costs

Gartner Sees Great SAAS Enterprise App Growth Despite Downturn

Venture capitalists eye SaaS companies Google Versus Microsoft: The Fight for

the Future of Cloud Computing Salesforce.com Unveils Force.com Cloud

Computing Architecture Oracle CEO Larry Ellison Spits on Cloud

Computing Hype


What is SAAS (software as a service)?

Application Hosted as a Service (requires no or few tech staff at customer premises)

The service is accessible over Internet (Anywhere anytime)

Usually subscription based billing model (pay as you go)

Centralized software updates No up-front cost (CapEx) to customers Most successful ones use Cloud

Computing infrastructure


Opportunities

Ability to target global markets Ability to serve the long tail Can offer ‘try before you buy’ to attract

customers Can build software on preferred platform

/ technology stack Version management hassles are

reduced Software upgrades and fixes need not

be a nightmare to you or your customers


Architectural Challenges

Scalability (remember, the world is our market place) Resource usage should be frugal Resource usage should increase predictably

with load Application architecture should support

scaling out High Availability (reliability)

Fault tolerance (Recoverability from failure) Graceful degradation under load True multi-tenancy


Architecture challenges continued…

Application Responsiveness (Latency) Improve user experience through thicker

client Parallelize computationally intensive

processing Reduce data latency by querying/updating

smaller sets

Manageability (deployment & monitoring) Centralized deployment/node management Failure detection and mitigation Diagnostics


Architecture challenges continued…

Security Intrusion prevention Web App Security Data security

Multi-tenancy (customizability) User interface Work flows Data model Authentication


Lessons learnt by the SaaS providers over the years…

No single magic bullet (approach) to solving all the challenges.


Use component based architectures

Advantages:ModularityLoose couplingProgram to an interfaceEasier to maintain and scale


Partition Database

Functional segmentation Example: Items data separate from User data

Horizontal split Example: Segment data based on range of a primary

access key (customer id 1-10000 separate from 10001-20000)

Abstract segmentation logic from business logic through an intermediate layer (Data access layer)

Advantages: Each module can scale independently Can isolate failures Can use inexpensive hardware for modules with

lighter load Security vulnerability can be isolated


Segment 1

Segment 2

Segment 3

DAL

Segment 1 backup

Segment 2backup

Segment 3backup

App Server

Comp 1

Comp 2

Data Partitioning illustration


Minimize DB Transactions

No all-encompassing/distributed transactions

Auto-commit for most DB writes Complex DB operations to be done

through PL/SQL at the DB layer Advantages

Avoids wait-on-locks Maximizes update performance DB connections can be multiplexed leading

to better application performance


Partition Application modules

Segment application based on modules Example: search deployed independently

from inventory Segment application horizontally

Example: base services, business logic and Web UI deployed independently

Advantages: Modules can scale independently Standard load balancers can be used

between modules Minimizes resource dependencies


Little or no session state in web application

Session state is memory consuming Session affinity needs to be taken care of in

the load balancer Transient session state can be maintained

through a combination of cookies and in-memory database Example MemCached (see next slide)

If session state is maintained, cleanup frequently and as early as possible

Advantages: Allows clean modular segmentation Higher scalability Help user move easily between independently

deployed applications (Ex: search to inventory)


MemCached illustration

Memory cache shared and addressable from distributed servers

Advantages Expanded memory Data can be stored and accessed from any server

(including non participating ones) Fault tolerance (if one or more servers fail, very less

impact)

Users include Wikipedia, Flickr, Twitter, LiveJournal, YouTube etc.


Move as much processing as possible to asynchronous flows Integrate disparate components asynchronously Requires Message Queue infrastructure (JMS, Websphere MQ etc) Programming models: Point-to-point, Publish-subscribe

Example (P2P): Catalog search request is posted in the queue by the web application to the

search component. Search request is processed by the search component in the order it arrived The results are posted back to the queue or a temporary table Web application displays this result upon refresh

Example (PubSub): Addition of a new catalog item triggers and event. Subscribers of the event asynchronously take care of Rebuilding search index. Logging the activity

Advantages: Graceful degradation upon load Can decouple availability state Can retry operations


Search UI Search Engine

Search UISearch Engine

Req Queue

Res Queue

Id: 1Term: xyz

CatalogCatalog UIAdd item

Index Builder Activity Logger

PublishEvent: Add

Subscribers

Point to point

Publish-Subscribe

Messaging

Models

illustration


Scheduled batch processing

Move infrequent, periodic or scheduled processing out of the application flow

For example: Rebuilding search indices Purging deleted items from the catalog


Adaptive configuration

System should be able to adapt to changing load, processing time etc

Can change the number of nodes, processor threads …

Load can be measured using message queue length or average query execution times …


Failure detection

Central LAM (logs, alarms and metrics) collection

Actively (if possible asynchronously) log requests, application activity and exceptions

Real time application performance monitoring and alerts management

Buffered disc writes will allow the LAM to scale


Failure mitigation

Assume everything will fail (network, disc, database, message queue, nodes, third party services)

Detect failure at the earliest and raise alarm Try to recover from failure and retry finite number of

times Log everything (application activity, data size,

exception) Application operations should always timeout and raise

alerts Example: search query didn’t return results for 5 seconds

should • timeout• raise an alarm• Try backup resource


Have roll-out and roll-back plans

One deployment will affect everyone Make sure that every change made

during roll-out can be rolled back Have a roll-back plan so that the

application can be brought back to the previous deployment state easily

Have feature level switches to turn on/off Can be a face saver


Multi-tenancy support (Customizability)

Support URL based/URL parameter based UI style customization In addition, time-zone, language and user

agent can be detected and used for customization

Support plug-in based architecture to customize complex processing logic and custom authentication support

Support for mixed mode DB schema for customizability mostly the same DB schema for everyone +

custom tables for the ones who want to customize


Build with security in mind

Strong input validation on client and server side

Detect SQL/Javascript injection patterns (signature) for better security

Throttle connect requests from the same IP address to prevent denial-of service attacks

Escape data output to prevent Javascript injection

Access to database should not be allowed from outside

Use SSL to communicate between different components over the network


Test for security: Web App Vulnerability Analysis tools

Example: Google SkipFish tool for testing

SQL injection Shell command injection Javascript injection Integer overflow XSS (cross site scripting) Denial of service attack


In addition……..

Simplified provisioning and self-service drives down costs

Usability will make or break the product Users are touchy about security and

privacy Scalability separates the wheat from the

chaff Customers look to reduce the cost of

operations through SaaS Customizability increases the chances

for success


Using Cloud Computing Infrastructure


What is Cloud Computing

Computing using cloud infrastructure (Potentially unlimited) pool of

computing resources offered by a vendor typically using a subscription model for each unit of resource

Virtualized infrastructure Shared, multi-tenant environment


The evolution…


Cloud Computing Platforms (or IaaS / PaaS)

Microsoft Windows Azure Services Amazon EC2 (Elastic Computing Cloud),

S3 (Simple Storage Service) Salesforce’ Force.com cloud Google’s App Engine IBM Blue Cloud VMware vCloud Express Your own…..


Using cloud-computing for Scaling

Dynamically scale up/down the number of instances Based on load Based on required parallelism (to get things done

faster)


For High Performance Computing (parallel processing)

Popular algorithm Map-Reduce Popular platforms: Apache Hadoop,

Amazon Elastic map-reduce


For Storage

Dynamically scale the size of data-store Distributed databases (NOSQL) can be

used for high update frequency. Popular one: Cassandra (used by Facebook)


Takeaways

SAAS requires: Scalability Multi-tenancy High-availability Responsiveness Fault-tolerance Security Manageability Cost-effectiveness


Questions

Software as a Service

Technology

Transcript of Software as a Service