Cloud Feed

Daily Cloud Feed - Aug 31, 2008

This post is a daily aggregation of all news links from @onsaas. This post is automatically generated everyday at 11:45PM UTC.

Where did the Computer Go? Computing in the Cloud.

Enterprises Looking to the Clouds, Dell Says

Hello, AT&T? Can You Clean Up My Desktop Icons?

SaaS Doubts Boost Remote Infrastructure Services

Bill Gates High on Cloud Storage

Elements of a Cloud Oriented Architecture

The Key Advantage of Cloud Computing is Portability

Enterprise Cloud Computing: Five Key Challenges

At&t to Sell Cloud Computing to Corporate Customers

What Happens When Software CEOs Refuse to Accept Change

Virtual Desktops as a Broadband Service

SharePoint List Web Part for Microsoft Dynamics CRM 4.0

Web Hosted Content Management Solution Updated, at Ingeniux

Coming Soon, PC as a Service over Broadband

Why Google Apps Hasn’t Taken Off in Large Enterprises

Podcast: Towards Cloud Computing with Sun Grid Engine 6.2

Comment on ‘Cloud Computing’ is Ready for Enterprise Prime Time …

CentRealTech Names Dennis Evans as Chief Financial Officer

Coming Soon: PC-as-a-Service over Broadband

Daily Cloud Feed - Aug 30, 2008

SaaS Doubts Boost Remote Infrastructure Services (Information Week)

hSenid: HR SaaS and outsourcing in tandem

The Rise of Cloud Platforms and Why the OS Doesn’t Matter

Platform-as-a-Service (PaaS) is one of the buzzwords that’s mentioned often in the cloud computing space. I’ve written a blog post describing IaaS, PaaS and SaaS. In short, PaaS is a platform for delivering applications, similar to a pre-built system with hardware, OS and application stack all built in. In the PaaS case, this system is hosted. All you have to do is “upload” the application code and it should take care of the executing and scaling of it.

A quick survey of the land (by no means comprehensive, I am also including ONLY application platforms, not service-specific platforms such as DabbleDB) shows that there’s a plethora of PaaS players out there, each with their own target audience. Some provide more of a raw execution platform, some provide a full suite of tools for creating applications online. Unfortunately, most of these vendor approaches will lock you into their proprietary platform. If you ever want to move to another platform, you have to rewrite at least a portion of code using the new vendor’s API. Phil Wainewright has written about this in his blog post “A plethora of PaaS options.”

Company	Application Type
Bungee Labs	Web applications
Coghead	Web applications
Google App Engine	Python web applications
LongJump	Business applications
NetSuite NS-BOS	Business applications
Ning	Social networking applications
Joyent	Web applications
Mosso	Web applications
Rollbase	Business applications
Salesforce Force.com	Business applications

In one of the CloudCamp SF sessions in July, one of the guys from Microsoft asked whether the OS matters in cloud computing. My answer to that was it depends on the type of application. If it’s a web centric application that has a web front end, uses a database for storage, and doesn’t use any of the low level file IO, then really there’s no need to know what the OS is. In that case, the OS doesn’t matter.

All these vendors have targeted applications that are delivered over the web, and almost all of the vendors listed above try to abstract the OS from the developers so that they don’t have to worry about the underlying infrastructure. As Mosso’s slogan claims, “Code, load and go.”

Even though cloud computing is still in its infancy; however, as it matures, cloud providers will move upmarket to provide additional business value to customers. We will see a rise of cloud application platforms appear on the horizon. Specifically, we will see more domain-specific cloud platforms for different verticals or application types. For example, I can imagine there are developers working on a MMORPG cloud platform (maybe it’s here already if you consider Metaplace to be that) that will provide execution and management (of virtual goods, zones, accounts) for MMO developers; or a data analytics cloud platform that provides all the basic OLAP functions.

Will BGP and DNS Exploits Affect the Future of Cloud Computing?

Sorry, there are no polls available at the moment.

Recently we seem to be hearing more and more security exploits aimed at core Internet protocols. In July, Dan Kaminsky revealed a critical exploit aimed at the DNS protocol.

A couple of days ago “[t]wo security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.” See Revealed: The Internet’s Biggest Security Hole | Threat Level from Wired.com for more detailed reporting.

According to Wired.com,

The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.”

. . .

Anyone with a BGP router (ISPs, large corporations or anyone with space at a carrier hotel) could intercept data headed to a target IP address or group of addresses. The attack intercepts only traffic headed to target addresses, not from them, and it can’t always vacuum in traffic within a network — say, from one AT&T customer to another.

The clever trip the researchers have done is to

use a method called AS path prepending that causes a select number of BGP routers to reject their deceptive advertisement. They then use these ASes to forward the stolen data to its rightful recipients.

All these core protocol exploits have direct impact to cloud computing as the nature of cloud computing is that computing will happen out there on the Internet somewhere. According to the article,

The method conceivably could be used for corporate espionage, nation-state spying or even by intelligence agencies looking to mine internet data without needing the cooperation of ISPs.

Cloud Computing Terms

Geva Perry put together a list of cloud computing terms that folks have been using over at Thinking Out Cloud: Cloud Computing Terminology. It’s a great list and he also referenced the blogs that the terms were found.

So far he’s got:

• Cloudburst (both negative and positive use)
• Cloudstorming
• Vertical Cloud
• Private Cloud
• Internal Cloud
• Hybrid Cloud
• Cloudware
• External Cloud
• Public Cloud
• Cloud Provider
• Cloud Enabler
• Cloud-oriented Architecture
• Cloud Service Architecture
• Virtual Private Cloud
• Cloudsourcing

Going to ICE Summit in Vegas (9/18)

Hi all,

I am going to be making a day trip out to Vegas for The 451 Group’s ICE Summit in September. Would love to meet up with some of you if you are going to be there for either VMWorld or the ICE Summit. Email me at onsaas -at- gmail if you are interested in connecting.

Thanks and looking forward to it!

Response to “Assessing the Security Benefits of Cloud Computing”

Craig Balding from Cloud Security wrote an interesting piece on the security benefits of cloud computing back in July (that I just now got to read.) Craig qualified the post as potential security benefits of Cloud Computing.

After reading through it, I felt compelled to respond, even though it’s a been over a month since the post is up. Craig mentioned he won’t talk about the “flip” side of these benefits in this post, so I figure I will do that. I have only quoted the headers from Craig’s article so please refer to the original article for all the details.

Overall, Craig has made a good list of potential benefits. However, we really need to distinguish the benefits of virtualization vs cloud computing. Many of the benefits listed here are really benefits of virtualization and not cloud computing. When I read the title, I was hoping to read about how the cloud could be more secure than enterprise environments. I think this list has a mix of that, and how enterprise could use the cloud for some security use cases. That’s fine but mixing them together can be misleading.

1. Centralised Data

• Reduced Data Leakage

  As Craig said, “this is the benefit I hear most from Cloud providers”. Unfortunately I have to disagree with Craig here. In my view, the cloud providers are dead wrong about this one. Many of the cloud providers talk about how laptops or backup tapes being stolen as the biggest threat to data leakage, and they are right about that. However, having enterprise data stored in the cloud doesn’t reduce these risks one bit. Travelers will continue to copy data to their laptops as they need to access them while on the road. Old habits die hard. Enterprises will continue to backup data to tapes because they can’t simply reply on cloud providers to backup their data. These will still happen no matter where the data is stored.

  In fact, there likely will be an increased chance of data leakage by using cloud computing because now the cloud providers will have to somehow backup their data (maybe on tape!!)

• Monitoring benefits

  Most enterprises, probably including the one Craig works for, have centralized file servers, content management systems, etc etc. However, we continue to see problems with data leakage. Having data stored in clouds is not all that different than storing on centralized corporate file servers. Centralized storage and monitoring is not an advantage for clouds. Enterprises had centralized storage/archiving solutions for years.

  In my opinion, cloud storage makes it even tougher to monitor data leakage. Think about the tools available to monitor enterprise file servers. Many of them monitors all types of access: read, write, via CIFS/NFS/etc, via local system. How do you do all of that in the cloud? Think S3, the only thing S3 provide you are http access logs. You have no way of knowing who else viewed your files if it’s done locally, for example.

2. Incident Response / Forensics

• Forensic readiness

  To a certain extent this benefits is real. However, it’s not a cloud-only benefit. You get the same benefit by simply doing virtualization on your infrastructure. VMware allows you to easily clone an image so that you can perform whatever analysis is needed on the image instead of the original virtual machine. Same as Xen.

  However, think about the cases where forensics require physical hard disk scan in case the attacker has “rm” the “bad stuff” such as audit trails or root kit. You now have NO WAY of getting to that in a virtualized environment. Granted, this is probably an issue with any network/san attached storage.

• Decrease evidence acquisition time

  Same as above, it’s not a cloud-exclusive benefit. It’s simply a benefit of virtualization. The only real benefit of the cloud, as mentioned by Craig, is not having to “find” storage. Though I would say that’s the least of your worries if there’s a real attack that happened.

• Eliminate or reduce service downtime

  First, if the server/VM is truly “0wn3d”, I am not sure you want to keep that system up and running. You may want to bring a good copy of the VM up and run that instead. (or just go back to a previous good snapshot.)

  Second, with the cloud, you don’t even have a CHOICE of using physical acquisition toolkit. So I am not so sure that’s a benefit.

• Decrease evidence transfer time

  Again, not a real benefit of the cloud. First, bit-by-bit copies of the VM in the cloud still takes time just like if you would in the real world. Second, this benefit can also be realized as part of the internal VM infrastructure, not cloud-exclusive.

• Eliminate forensic image verification time

  Ok, so this is a minor benefit, but not a security benefit of the cloud. It’s more about the performance and scalability of the cloud.

• Decrease time to access protected documents

  Both this and the next benefit are really about the elasticity and scalability of the clouds and not security.

3. Password assurance testing (aka cracking)

• Decrease password cracking time

  Same as above, this is about the benefits of elasticity and scalability, not security.

• Keep cracking activities to dedicated machines

  Same as above, this is about the benefits of elasticity and scalability, not security.

4. Logging

• ‘Unlimited’, pay per drink storage
• Improve log indexing and search
• Getting compliant with Extended logging

Ok, this is about the utility and scalability of the cloud. Not a cloud security benefit. It’s about using the cloud for security tasks.

5. Improve the state of security software (performance)

• Drive vendors to create more efficient security software

  I believe this is true for even software on dedicated machines. Not cloud-exclusive.

6. Secure builds

• Pre-hardened, change control builds

  This I agree with. Having pre-built images that are secure from the start is a HUGE benefit. Though it’s a benefit of virtualization and virtual machines, not cloud-exclusive.

• Reduce exposure through patching offline

  I don’t understand this one. Once the VM is running in production, I can imagine taking that down to do patching. You would have to manage the patching process like any other machine, no?

  Now image templates can be updated with patches so if new machines are started, they are pre-patched.

• Easier to test impact of security changes

  Again I agree. However, it’s still the benefit of virtualization, not necessarily cloud-exclusive.

7. Security Testing

• Reduce cost of testing security:

  Agreed. It’s a side benefit of economies of scale.

Private Cloud Links

Doing some research on private clouds. Here’s the list of links I delicious’ed.

Challenges of Enterprise Cloud Computing

Today, the major use of cloud computing for enterprises are still in its infancy (heck the whole cloud computing space is in its infancy). Most enterprises use cloud computing for testing, development and other peripheral tasks. However, most, if any, are using the clouds for production use. This is fairly similar to the virtualization space, where early use of the virtualization technology are for testing and development. Ten years later, we are seeing more and more enterprises adopt virtualization for production use and virtualization has become main stream.

In the past month or so I have talked to a lot of people in the cloud computing and virtualization space. Many of these folk are working at/on startups that solves one of the many challenges for Enterprise cloud computing. What are these challenges? I have tried to summarize them here (in no particular order).

Data Governance

I’ve written extensively about the need for data governance in previous posts. In essence, enterprises have a ton of sensitive data that requires access monitoring and protection. Data (and information generated from the data) is the life blood of many enterprises, the loss of control will not be acceptable. Whole markets (read: DLP) are created to protect the enterprise data and information. On top of all that, enterprises must comply with many of the regulations that require data governance. By moving the data into the cloud, enterprise, for now, will lose some capabilities to govern their own data set. They would have to rely on the service providers to guarantee the safety of their data.

I hate to invoke the ILM acronym but much of data governance is about

• Creation and Receipt
• Distribution
• Use
• Maintenance
• Disposition

So who’s tackling this problem? As far as I know, nobody is and nobody really can except for the service providers themselves. It is really up to the service providers such as Amazon, Google and Salesforce to provide guarantees that customer data are safe and access to data are restricted and protected.

Manageability

There are some great IaaS/PaaS out there, including Amazon’s web services (S3, EC2, EBS, etc), Google’s App Engine, Salesforce’s Force.com, Joyent, etc. However, most of these are raw infrastructures and platforms that do not have great management capabilities. This is not unusual. Throughout computing history, raw capabilities will generally appear on the market first, then management of these raw capabilities become a differentiator when competition heats up. Just look at the blade server and virtualization spaces as these are great examples of that trend. The hypervisor was the key technology that enabled enterprise virtualization; however, that piece is now being given away (see VMware’s ESXi) and management capabilities becomes the main differentiator.

Cloud computing is no different. An example of missing management capabilities for cloud infrastructures is auto-scaling. Amazon EC2 claims to be elastic; however, it really means that it has the potential to be elastic. Amazon EC2 will not automatically scale your application as your server becomes heavily loaded. It is still up to the developer to manage that scalability problem.

So who’s tackling this problem? Many startups have recognized the need for management early on and have built management capabilities on top of the existing cloud infrastructure/platforms. RightScale is one of the early pioneers in this space. Their solution solves many of the management issues such as auto-scaling and load balancing.

Monitoring

Monitoring, whether is for performance or availability, is critical to any IT shop. We are not talking about just how much CPU or memory the machines are using. We are talking about performance of transactions and disk IO and others. CPU and memory usage are misleading most of the time in virtual environments. The only real measurement is how long your transactions are taking and how much latency there are. According to High Availability’s article on latency:

Amazon found every 100ms of latency cost them 1% in sales. Google found an extra .5 seconds in search page generation time dropped traffic by 20%. A broker could lose $4 million in revenues per millisecond if their electronic trading platform is 5 milliseconds behind the competition.

So who’s tackling this problem? Hypernic’s CloudStatus is one of the first to recognize this issue and developed a solution for it. They started with monitoring of Amazon’s web services, then recently added monitoring for Google App Engine. In addition, RightScale’s solution can also provide monitoring for the virtual machines under their management.

Reliability and Availability

I won’t beat the dead “Gmail down, EC2 down, etc down” horse here. But the truth of the matter is enterprises today cannot reasonably rely on the cloud infrastructures/platforms to run their business. There’s almost no SLAs provided by the cloud providers today. Even Jeff Barr from Amazon said that AWS only provides SLA for their S3 service. I haven’t researched the SLA issue so not sure how true that is. But if it’s true, I think this will be one of the biggest factor, if not the biggest factor, in enterprise adoption. Can you imagine enterprises signing up cloud computing contracts without SLAs clearly defined? It’s like going to host their business critical infrastructure in a data center that doesn’t have clearly defined SLA.

We all know that SLAs really doesn’t buy you much. In most cases, enterprises get refunded for the amount of time that the network was down. No SLA will cover business loss. However, as one of the CSOs I met said, it’s about risk transfer. As long as there’s a defined SLA on paper, when the network/site goes down, they can go after somebody. If there’s no SLA, it will be the CIO/CSO’s head that’s on the chopping block.

So who’s tackling this problem? Well, again, no one is today as far as I know. Maybe some startup will come up with clever idea to provide SLA as a third party vendor (read: cloud insurance.) Or maybe the cloud providers will grow/wake up and actually do something to encourage the enterprise adoption.

Virtualization Security

Security is a huge area that encompasses many different things, including the standard enterprise security policies on access control, activity monitoring, patch management, etc. On top of that, virtualization security is something that most enterprises are just starting to grasp but don’t fully understand. Many IT people still believe that the hypervisor and virtual machines are safe. Recent presentations from Blackhat has demonstrate that we shouldn’t sleep so tight at night. As IT shops get more educated on the virtualization security issues, it will become one of the factors they will consider when they move into the cloud. Access control and monitoring of the virtual infrastructure will be on top of their mind.

So who’s tackling this problem? There are quite a few startups like Reflex, Blue Lane and Catbird that are creating privileged VAs that claim to protect the VAs running on VMware’s ESX servers. However, ensure you do your research on the performance of these solutions first before adopting one of them. Other startups (unnamed) are creating interesting solutions in protecting the actual virtual infrastructure themselves, e.g., how do you protect and monitor access to the ESX servers? how do you control and monitor the movement of virtual machines using live migration or VMotion.

—

Cloud computing is here to stay. It will be the next big wave and will be adopted by enterprises. However, the industry as a whole needs to answer some of these challenges and ease the enterprises’ concerns.

Other interesting reads for Enterprise Cloud Computing are:

• EC3: Enterprise Class Cloud Computing
• CIOs On Cloud Computing
• Enterprise cloud computing gathers steam

I’m Out of That Game

Greetings from Covelong Beach in Chennai, where I will be sitting for the next 6 hours or so. *

Reading Sam Johnston’s piece on the future of cloud computing, I came to a resolution:

I don’t care what the definition of “cloud computing” is.

First, we’re operating under an aspect of “you don’t predict the future, you build it.” Better to wait 5 years and ask what the definitions then, rather than spend the next 5 years fretting about it.

Second, definitions from the blogosphere and marketingland don’t solve enterprise and startup and consumer use cases. Taking a security example, saying “AWS is secure” or “AWS is not secure” or “AWS is HIPAA-compliant” is meaningless until it’s tied to a very specific problem/solution set. Secure against what, particularly?

The idea is that companies will have services which correspond neatly to the definitions, at which point your choices are simple and you happily start generating purchase orders, or reach for your credit card, as the case may be. But how will you tell from such a surface view which companies will actually meet your needs from the 85 others who will ultimately plaster their marketspeak with the appearence that they do the same thing as the companies that really can meet your needs?

The devil is in the details. Or the use cases, as it were.

In theory, the definition-forging process will help guide the way in the actual “building the future” process, but what I’ve seen so far has been far too muddy to be widely useful. It’s useful to give yourself something to talk about over hors d’oeurves at a cloud computing event, but after that…

PS…not an attack on Sam’s post…just got me thinking…although I perhaps didn’t like his use of monkey analogy…

* Note to self, the next time that a previously subdued spike in craving for American food breaks over the wall and you reach for the bag of otherwise not-so-tasty Lays potato chips in the minibar fridge, you may want to check the bag to see whether said comfort food was even made in the US, and not, oh, Village Channo, Patiala, Sangrur Road, Bhawanigarh, Distt. Sangrur, Punjab. Not that I could tell a taste difference, rather it’s a matter of principle perhaps akin to the Japanese banning rice imports.