Tag Archives: cloud computing

Amazon’s Mensis Horribilis

Hot on the heels of Amazon Web Service’s prolonged outage late last month, Bloomberg has revealed that hackers used AWS as a launch pad for their high profile attack against Sony. In a thousand blogs and a million tweets, the Internets have been set abuzz with attention-seeking speculation about reliability and trust in the cloud. It’s a shame, because while these events are noteworthy, in the greater scheme of things they don’t mean much.

Few technologies are spared a difficult birth. But over time, with continuous refinement, they can become tremendously safe and reliable, something I’m reminded of every time I step on an airplane. It never ceases to amaze me how well the global aviation system operates. Yes, this has it’s failures—and these can be devastating; but overall the system works and we can place our trust in it. This is governance and management and engineering working at the highest levels.

Amazon has been remarkably candid about what happened during their service disruption, and it’s clear they have learned much from the incident. They are changing process, refining technology, and being uncharacteristically transparent about the event. This is the right thing to do, and it should actually give us confidence. The Amazon disruption won’t be the last service failure in the cloud, and I still believe that any enterprise with reliability concerns should deploy Cloud Service Broker (CSB) technologies. But the cloud needs failure to get better—and it is getting better.

In a similar vein, overreacting over the Sony incident is to miss what actually took place. The only cloud attribute the hackers leveraged on Amazon was convenience. This attack could have been launched from anywhere; Amazon simply provided barrier-free access to a compute platform, which is the point of cloud computing. It would be unfortunate if organizations began to blacklist general connections originating from the Amazon AWS IP range, as they already do for email originating in this domain because of an historical association with spam.  In truth this is another example of refinement by cloud providers, as effective policy control in Amazon’s data centers have now largely brought spam under control.

Negative impressions come easy in technology, and these are hard to reverse. Let’s hope that these incidents are recognized for what they are, rather than indicators of a fundamental flaw in cloud computing.

NIST Seeks Public Input On New Cloud Computing Guide

What is the cloud, really? Never before have we had a technology that suffers so greatly from such a completely ambiguous name. Gartner Research VP Paolo Malinverno has observed that most organizations define cloud as any application operating outside their own data centre. This is probably as lucid a definition as any I’ve heard.

More formalized attempts to describe cloud rapidly turn into essays that attempt to bridge the abstract with the very specific, and in doing seem to miss the cloud for the clouds. Certainly the most effective comprehensive definition has come from the National Institute of Standards and Technology (NIST), and most of us in the cloud community have fallen back to this most authoritative reference when clarity is important.

Now is our chance to give back to NIST. To define cloud is to accept a task that will likely never end, and the standards boffins have been working hard to continually refine their work. They’ve asked for public comment, and I would encourage everyone to review their latest draft of the Cloud Computing Synopsis and Recommendations. This new publication builds on the basic definitions offered by NIST in the past, and at around 84 pages, it dives deep into the opportunities and issues surrounding SaaS, IaaS, and PaaS. There is good material here, and with community input it can become even better.

You have until June 13, 2011 to respond.

Layer 7 to Demonstrate Cloud Network Elasticity at TMForum Management World in Dublin

I’ll be at the TMForum Management World show this May 23-26, 2011 in Dublin, Ireland to participate in the catalyst demonstrating cloud network elasticity, which is sponsored by Deutsche Telekom and the Commonwealth Bank of Australia. For those of you not yet familiar with TMForum, it is (from their web site) “the world’s leading industry association focused on enabling best-in-class IT for service providers in the communications, media, defense and cloud service markets.” We’ve been involved with the TMForum for a couple of years, and this show in Dublin is going to showcase some major breakthroughs in practical cloud computing.

TMForum offers catalysts as solution proof-of-concepts. A catalyst involves a number of vendors which partner together to demonstrate an end-to-end solution to a real problem faced by telco providers or the defense industry. This year, we’re working closely with Infonova, Zimory, and Ciena to showcase a cloud-in-a-box environment that features elastic scaling of compute resources and network bandwidth on-demand, all of which is fully integrated with an automated billing system.We think this solution will be a significant game-changer in the cloud infrastructure marketplace, and Layer 7’s CloudControl product is a part of this solution. CloudControl plays a crucial role in managing the RESTful APIs that tie together each vendor’s components.

What excites me about this catalyst is that it assembles best-of-breed vendors from the telco sector to create a truly practical elastic cloud. Zimoury contributes the management layer that transforms simple virtualized environments into clouds. We couple this with Ciena’s on-demand network bandwidth solutions, allowing users to acquire guaranteed communications capacity when they need it. Too often clouds elasticity starts and stops with CPU. Ciena’s technology ensures that the network resource factors into the elastic value proposition.

The front end is driven by Zimory’s BSS system, ensuring that all user actions are managed under a provider-grade billing framework. And finally, Layer 7’s CloudControl operates as the glue in the middle to add security and auditing, integrate disparate APIs, and provide application-layer visibility into all of the communications between different infrastructure components.

Layer 7's CloudControl acts as API glue between cloud infrastructure components.

I hope you can join me at TMForum Management World this month. We will be giving live demonstrations of the elastic cloud under real world scenarios given to us by Deutsche Telekom and Commonwealth Bank. This promises to be a very interesting show.

VMware’s Cloud Foundry Ushers In The Era Of Open PaaS

Mention VMware to anyone in IT and their immediate thought is virtualization. So dominant is the company in this space that the very word VM has a sense of ambiguity about it: does it refer specifically to a vmdk, or another hypervisor image like Xen? As with Kool-Aid and Band-Aid, there is nothing better for a company than to contribute a word to the English lexicon, and while VMware may not completely own virtual machine, they command enough association to get passed the doorman of that enviable club.

Strong associations however, may not translate directly into revenue. From open source Xen to Microsoft’s Hyper-V, virtualization technology is rapidly commoditizing, a threat not lost on VMware. Hypervisors are now largely free, and much of the company’s continued success derives from the sophisticated management products that make mass virtualization a tractable challenge in the enterprise. But for every OpenView, there is ultimately a Nagios to content with, so the successful company is always innovating. VMware, a very successful company, is innovating by continuing its push up the stack.

Last week VMware introduced Cloud Foundry, an open Platform-as-a-Service product that represents an important step to transform the company into a dominant PaaS player. You don’t have to read any tea leaves to see this has been their focused strategy for some time; you just have to look at their acquisitions. SpringSource for Java frameworks; RabbitMQ for queuing; Gemstone for scalable, distributed persistence; and Hyperic to manage it all—it’s basically the modern developer’s shopping list of necessary application infrastructure. The only thing they are still missing is security.

Cloud Foundry assembles some components of this technology in a package that enables developers to skip the once-necessary evil of infrastructure integration and to instead concentrate fully on the business problems they’ve been tasked to solve. It is a carefully curated stack of cloud-centric frameworks and infrastructure made available by a cloud provider as a service. Right now, you can use Cloud Foundry in VMware-managed cloud; but the basic offering is available for any cloud, public or private. Applications should be easily portable between any instance of Cloud Foundry. VMware even promises a forthcoming micro-cloud VM, which makes any developer’s laptop into a cloud development environment.

All of this reduces friction in application development. Computing is full of barriers, and we often fall into the psychological trap of perceiving these to be bigger than they actually are. Barriers are the enemy of agile, and basic infrastructure is a barrier that too often saps the energy out of a new idea before it has a chance to grow. Make the plumbing available, make it simple to use, and half the battle for new apps is over. What’s left is just fun.

Cloud Foundry is important because it’s like a more open Azure. Microsoft deserves credit for keeping the PaaS dream alive with their own offering, but Azure suffers from a sense of lock-in, and it really only speaks to the Microsoft community. Plus the Microsoft ad campaign for cloud is so nauseating it might as well be bottled as a developer repellant for people who hate geeks.

Cloud Foundry, in contrast, goes far to establish its claim to openness. It references the recently announced Cloud Developer’s Bill of Rights, another initiative spearheaded by VMware. Despite being a Java-head myself, I was encouraged to learn that Cloud Foundry offered not just Spring, but Ruby on Rails, Sinatra for Ruby and Node.js. They also support Grails, as well as other frameworks based on the JVM. Persistence is handled by MySQL, MongoDB, or the Redis database, which is a decent range of options. So while VMware has’t quite opened up all their acquisition portfolio to the cloud community, they have assembled the critical pieces and seem genuine in their goal of erasing the stigma of lock-in that has tarnished previous commercial PaaS offerings.

I’m a fan of PaaS; I’m even a member of the club that believes that of the big three *-as-a-Services, PaaS is destined to be the dominant pattern. Managing and configuring infrastructure is, in my mind, pretty much on par with actually managing systems—a task I consider even less rewarding than shoveling manure. And I’m not alone in this opinion either. Once PaaS becomes open and trustworthy, it will be an automatic choice for most development. PaaS is the future of cloud, and VMware knows this.

No More Iron in the Cloud

Iron Mountain, the well known information management company, is exiting the cloud storage business. The company announced yesterday that they will be phasing out their basic cloud storage services by 2013. Iron Mountain isn’t the first provider to turn its back on the cloud just as the space is getting off of the ground; but it is probably the most high profile company to exit this business.

I’ve always liked Iron Mountain because the name makes me think of the Hobbit (remember Dain of the Iron Hills?) In fact I think that Iron Mountain is one of the all time great company names, and their marketing group deserves credit for leveraging this to build a very strong brand around what is arguably a pretty dull and conventional service—that of records management. The extension of this brand into the cloud seemed obvious and fitting, so at first blush its disappointing that they’ve made a decision to reverse course.

In reality though, it seems that Iron Mountain is performing more of a realignment of its cloud strategy. Simple cloud-based storage is just not very hard to do, and so the field is rapidly becoming as crowded as the battle of five armies. Differentiation is the key to great brands, and its hard to standout from S3 or Carbonite or Mozy or any of the dozens of providers peddling mass storage services in the cloud. Iron Mountain seemed to recognize that their brand could be better served—that is, both leveraged and protected—by ducking out of the commodity bazaar and moving up the street to provide a more specialized and business-aligned service.

This is all very interesting because over the next few years we will see that brand—that most mysterious response in the consumer’s mind—is going to be the deciding factor that makes or breaks a cloud provider’s success. And as Amazon has demonstrated, cloud branding can come out of the most unlikely places.

When Is The Cloud Not A Cloud?

Sometimes I joke that as my kids grow up they won’t see clouds, they’ll just see air—meaning of course that their use of cloud-based services will become so ubiquitous as to make the cloud moniker largely unnecessary. What we so enthusiastically label cloud will just be the way everyone builds and deploys their apps. “Nothing to see here folks; but look at my wonderful new application…”

We won’t arrive at this future until we strip the word cloud of its power. And to do this, we need to go after the things we thought made cloud unique and special in the first place. Today, Amazon took a vicious swipe at the canonical definition by introducing dedicated EC2 instances. Dedicating hardware to a single customer addresses the next logical layer in the hierarchy of security concerns after virtual isolation. Amazon’s VPC product, introduced back in August 2009, provided virtualized isolation in their multi-tenant environment. Essentially VPC is like a virtual zone housing only your instances. This zone is tied back to your on-premise network using a VPN. The only way in or out of a zone is through your corporate network. Other Amazon-resident applications can not access your apps directly—in fact, any external app, Amazon-resident or otherwise—must go through your conventional corporate security perimeter and route back to Amazon over the VPN to be able to gain access to a VPC app. The real value of VPC is that it puts instance access back into the hands of the corporate security group.

The problem that the highly security conscious organization has with VPC is that the “V” is for virtual. VPC may implement clever isolation tricks using dynamic VLANs and hypervisor magic known only to a gifted few, but when your critical application loads up you may actually reside on exactly the same hardware as your own worst enemy. In theory, neither of you can exploit this situation. But you need to believe the theory. Completely.

Today’s announcement means that Amazon’s customers can literally have exclusive use of hardware. This is good news for anyone with reservations about hypervisor isolation. However, the networking remains virtualized, and of course you can still ask the classic cloud security questions about where data resides, or the background of the staff running the infrastructure. So a mini-private cloud, it is not; but dedicated instances is an interesting offering, nonetheless.

What is more intriguing is that by providing dedicated hardware, Amazon is beginning to erode one of the basic foundations of the canonical cloud definition: multi-tenancy. Purists will argue—as they do so with unexpected vehemence with regard to private cloud—that what Amazon is offering is not a cloud at all, but in fact a retrograde step back to simple hosting or co-loc. I’m inclined to disagree, however, and think instead Amazon offers a logical next step (and certainly not the last) in the evolution of cloud services. By doing so, Amazon amplifies some of the other important aspects that define what the cloud really is. Things like self-service, a greatly changed division and scope of operational responsibility, the leverage of commodity of scale, elasticity, and the ability to pay for what you actually use.

I don’t think Amazon’s new offering will be wildly successful because it still leaves many security issues unresolved. But I do think it points the way to the future cloud, which will have many different attributes and characteristics that solve different problems. Some may conflict with traditional definitions and expectations. Some may fulfill them. What is important is to choose the service that meets your needs, and don’t worry what it’s called. That’s marketing’s problem.

Upcoming Webinar: Extending Enterprise Security Into The Cloud

On March 21, 2011 Steve Coplan, Security Analyst from the 451 Group and I will present a webinar describing strategies CIOs and enterprise architects can  implement to create a unified security architecture between on-premise IT and the cloud.

I have great respect for Steve’s research. I think he is one of the most cerebral analysts in the business; but what impresses me most is that he is always able to clearly connect the theory to its practical instantiation in the real world. It’s a rare skill. He also has a degree in Zulu, which has little to do with technology, but makes him very interesting nonetheless.

Lately Steve and I have been talking about the shrinking security perimeter in the cloud and what this means to the traditional approaches for managing single sign-on and identity federation. This presentation is a product of these discussions, and I’m anticipating that it will be a very good one.

I hope you can join us for this webinar. It’s on Tuesday, March 15, 2011 9:00 AM PST | 12:00 PM EST | 5:00 PM GMT. You can register here.

Overview:
For years enterprises have invested in identity, privacy and threat protection technologies to guard their information and communication from attack, theft or compromise. The growth in SaaS and IaaS usage however introduces the need to secure information and communication that spans the enterprise and cloud. This webinar will look at approaches for extending existing enterprise security investments into the cloud without significant cost or complexity.

Layer 7 Technologies Joins the Cloud Security Alliance (CSA)

I’m pleased to announce that Layer 7 has joined the Cloud Security Alliance (CSA) as a full corporate member. For the past several years, the CSA has assumed the leadership role in defining the best practices to secure cloud applications, data, and infrastructure.

I believe that when you join a community organization, you are obliged to make a real contribution. Being a member means a lot more than just having your company logo on the sponsor list. I’ve been involved previously with the CSA, as a co-author of version 2 of its Security Guidance for Critical Areas of Focus in Cloud Computing, and as a co-author of the organization’s Top Threats in Cloud Computing document. Now that we are corporate members, Layer 7 will help to drive two important events within the CSA.

First, Layer 7 is a sponsor the CSA summit at this year’s RSA conference in San Francisco, running Feb 14-18, 2011. I was a participant at the CSA summit last year. This one-day event sold out instantly, and most attendees agree it was one of the highlights of the RSA conference. If you are in San Francisco for the 2011 RSA show, you should try to get into Monday’s CSA event. The CSA has some very special guests lined up to speak—including Vivek Kundra, US Chief CIO—and I can assure you that once again the summit will be the talk of the RSA.

I am also fortunate to be co-presenting a CSA-sponsored webinar about Managing API Security in SaaS and Cloud with Liam Lynch, eBay’s Head of Security. The rapidly growing API management space has a number of unique challenges with segmentation of roles, access to usage information, developer on-boarding, user management, and community building. Liam and I will talk about our own experiences in this space, and I will explore several case studies that illustrate each issue and its solution. I hope you can join us on Feb 23, 2011 for this talk.

Hacking the Cloud

I’m not sure who is more excited about the cloud these days: hackers or venture capitalists. But certainly both groups smell opportunity. An interesting article published by CNET a little while back nicely illustrates the growing interest the former have with cloud computing. Fortify Software sponsored a survey of 100 hackers at last month’s Defcon. They discovered that 96% of the respondents think that the cloud creates new opportunities for hacking, and 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”

I don’t consider myself a hacker (except maybe in the classical sense of the word, which had nothing to do with cracking systems and more about solving difficult problems with code), but I would agree with this majority opinion. In my experience, although cloud providers are fairly proficient at securing their own basic infrastructure, they usually stop there. This causes a break in the security spectrum for applications residing in the cloud.

Continuity and consistency are important principles in security. In the cloud, continuity breaks down in the hand-off of control between the provider and their customers, and potential exploits often appear at this critical transition.  Infrastructure-as-a-Service (IaaS) provides a sobering demonstration of this risk very early in the customer cycle. The pre-built OS images that most IaaS cloud providers offer are often unpatched and out-of-date. Don’t believe me? Prove it to yourself the next time you bring up an OS image in the cloud by running a security scan from a SaaS security evaluation service like CloudScan. You may find the results disturbing.

IaaS customers are faced with a dilemma. Ideally, a fresh but potentially vulnerable OS should first be brought up in a safe and isolated environment. But to effectively administer the image and load patch kits, Internet accessibility may be necessary. Too often, the solution is a race against the bad guys to secure the image before it can be compromised. To be fair, OS installations now come up in a much more resilient state than in the days of Windows XP prior to SP2 (in those days, the OS came up without a firewall enabled, leaving vulnerable system services unprotected). However, it should surprise few people that exploits have evolved in lock step, and these can find and leverage weaknesses astonishingly fast.

The world is full of ex-system administrators who honestly believed that simply having a patched, up-to-date system was an adequate security model. Hardening servers to be resilient when exposed to the open Internet is a discipline that is  time-consuming and complex. We create DMZs at our security perimeter precisely so we can concentrate our time and resources on making sure our front-line systems are able to withstand continuous and evolving attacks. Maintaining a low risk profile for these machines demands significant concentrated effort and continual ongoing monitoring.

The point so many customers miss is that cloud is the new DMZ. Every publicly accessible server must address security with the same rigor and diligence of a DMZ-based system. But ironically, the basic allure of the cloud—that it removes barriers to deployment and scales rapidly on demand—actually conspires to work against the detail-oriented process that good security demands. It is this dichotomy that is the opportunity for system crackers. Uneven security is the irresistible low-hanging fruit for the cloud hacker.

CloudProtect is a new product from Layer 7 Technologies that helps reconcile the twin conflicts of openness and security in the cloud.  CloudProtect is a secure, cloud-based virtual appliance based on RedHat Enterprise Linux (RHEL). Customers use this image as a secure baseline to deploy their own applications. CloudProtect features the hardened OS image that Layer 7 uses in its appliances. It boots in a safe and resilient mode from first use. This RHEL distribution includes a fully functioning SecureSpan Gateway – that governs all calls to an application’s APIs hosted on the secured OS. CloudProtect offers a secure console for visual policy authoring and management, allowing application developers, security administrators, and operators to completely customize the API security model based to their requirements. For example, need to add certificate-based authentication to your APIs? Simply drag and drop a single assertion into the policy and you are done. CloudProtect also offers the rich auditing features of the SecureSpan engine, which can be the input to a billing process or be leveraged in a forensic investigation.

More information about the full range of Layer 7 cloud solutions, including Single Sign-On (SSO) using SAML for SaaS applications such as Salesforce.com and Google Apps, can be found here on the Layer 7 cloud solutions page.

Dilbert on Cloud Computing

Scott Adams nails it once again:

Dilbert.com

From January 7, 2011 Dilbert.