Tag Archives: cloud computing

Talk at Upcoming Gartner AADI 2010 in LA: Bridging the Enterprise and the Cloud

Posted on November 14, 2010 | Leave a comment

I’ll be speaking this Tuesday, Nov 16 at the Gartner Application Architecture, Development and Integration Summit in Los Angeles. My talk is during lunch, so if you’re at the conference and hungry, you should definitely come by and see the show. I’ll be exploring the issues architects face when integrating cloud services—including not just SaaS, but also PaaS and IaaS—with on-premise data and applications. I’ll also cover the challenges the enterprise faces when leveraging existing identity and access management systems in the cloud. I’ll even talk about the thinking behind Daryl Plummer’s Cloudstreams idea, which I wrote about last week.

Come by, say hello, and learn not just about the issues with cloud integration, but real solutions that will allow the enterprise to safely and securely integrate this resource into their IT strategy.

 

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

There’s a Cloudstream For That

Posted on November 8, 2010 | 1 comment

Earlier today, Daryl Plummer introduced a new word into the cloud lexicon: the Cloudstream. Anyone who knows Daryl would agree he is one of the great taxonomists of modern computing. As Group VP and a Gartner Fellow, Darryl is in a unique position to spot trends early. But he’s also sharp enough to recognize when an emerging trend needs classification to bring it to a wider audience. Such is the case with Cloudstream.

In Daryl’s own words:

A Cloudstream is a packaged integration template that provides a description of everything necessary to govern, secure, and manage the interaction between two services at the API level.

A Cloudstream encapsulates all of the details necessary to integrate services—wherever these reside, in the enterprise or in the cloud—and manage these subject to the needs of the business. This means that Cloudstream describes not just the mechanics of integrating data and applications (which is a muddy slog no matter how effective your integration tools are), but also the aspects of security, governance, SLA, visibility, etc that underpin service integration. These are the less obvious, but nonetheless critical components of a real integration exercise. Cloudstream is an articulation of all this detail in a way that abstracts its complexity, but at the same time keeping it available for fine-tuning when it is necessary.

Cloudstream captures integration configuration for cloud brokers, an architectural model that is becoming increasingly popular. Cloud broker technology exists to add value to cloud services, and a Cloudstream neatly packages up the configuration details into something that people can appreciate outside of the narrow hallways of IT. If I interpret Daryl correctly, Cloudstreams may help IT integrate, but it is the business who is the real audience for a Cloudstream.

This implies that Cloudstream is more that simple configuration management. Really, Cloudstream is logical step in the continuing evolution of IT that began with cloud computing. Cloud is successful precisely because it is not about technology; it is about a better model for delivery of services. We technologists may spend our days arguing about the characteristics and merits of different cloud platforms, but at the end of the day cloud will win because it comes with an economic argument that resonates throughout the C-Suite with the power of a Mozart violin concerto played on a Stradivarius.

The problem Daryl identifies is that so many companies—and he names Layer 7 specifically in his list—lead with technology to solve what is fundamentally a business problem. Tech is a game of detail—and I’ve made a career out being good at the detail. But when faced with seemingly endless lists of features, most customers have a hard time distinguishing between this vendor and that. This one has Kerberos according the WS-Security Kerberos Token Profile—but that one has an extra cipher suite for SSL. Comparing feature lists alone, it’s natural to loose sight of the fact that the real problem to be solved was simple integration with Salesforce.com. Daryl intends Cloudstream to up level the integration discussion, but not at the cost of loosing the configuration details that the techies may ultimately need.

I like Daryl’s thinking, and I think he may be on to something with his Cloudstream idea. Here at Layer 7 we’ve been thinking about ways to better package and market integration profiles using our CloudSpan appliances. Appliances, of course, are the ideal platform for cloud broker technology. Daryl’s Cloudstream model might be the right approach to bundle all of the details underlying service integration into an easily deployable package for a Layer 7 CloudSpan appliance. Consider this:

The Problem: I need single sign-on to Salesforce.com.

The Old Solution: Layer 7 offers a Security Token Service (STS) as an on-premise, 1U rackmount or virtual appliance. It supports OASIS SAML browser POST profile for SSO to SaaS applications such as Salesforce.com, Google docs, etc. This product, called CloudConnect, supports initial authentication using username/password, Kerberos tickets, SAML tokens, x509.v3 certificates, or proprietary SSO tokens. It features an on-board identity provider, integration into any LDAP, as well as vendor-specific connectors into Microsoft ActiveDirectory, IBM Tivoli Access Manager, Oracle Access Manager, OpenSSO, Novell Access Manager, RSA ClearTrust, CA Netegrity…. (and so on for at least another page of excruciating detail)

The Cloudstream Solution: Layer 7 offers a CloudStream integrating the enterprise with Salesforce.com.

Which one resonates with the business?

Photo: Jonathan Ogilvie, stock.xchng

1 Comment

Posted in Layer 7 Technologies

Tagged , , ,

BI is Dead. Long Live BI. The Future of Business Intelligence in the Cloud

Posted on September 24, 2010 | 2 comments

I’ll be delivering a keynote presentation in Sydney Australia on Oct 18 at the Mastering Business Intelligence with SAP conference. I’ll also be doing a roadshow around the country with our local partner First Point Global, who really understand the business of IAM. The Australian market is very forward-looking these days, and I’ve been impressed with the vision behind the projects we’ve been involved in. If you’re in Australia, come by the conference or send me an email if you would like to meet.

Here’s the abstract in full:

BI is Dead. Long Live BI. The Future of Business Intelligence in the Cloud

Will cloud computing really change IT? Despite all of the attention that cloud computing commands, this deceptively simple question has been largely overlooked. The promise of shifting capex dollars to lower opex is certainly compelling and the overnight success of some of the large Software-as-a-Service (SaaS) vendors, such as Salesforce.com is undeniably impressive. But once the hype dies down, what will be the real impact of cloud computing to mission-critical applications such as BI?

Cloud will transform BI, much as it is currently transforming CRM. Cloud isn’t only about a cheaper new delivery model; when done right, cloud also radically changes how applications are composed and where data can reside. These changes are driven both by necessity-acknowledging the realities of latency, privacy and compliance – but also by opportunity and the rapidly evolving best practices that show us how to build applications better and deliver these faster. BI must change to be successful in the cloud and cloud is an irresistible forcing function that will make this change inevitable. If your career is centered around BI, you need to be ready for this revolution.

2 Comments

Posted in Layer 7 Technologies

Tagged ,

Virtualization’s Second Act

Posted on September 24, 2010 | Leave a comment

I was quite disappointed with the coverage and analysis of VMware’s new vCloud Director (VCD) product, which the company introduced at its annual VMworld conference earlier this month in San Francisco. I think people focused too much on the superficial message of vCD being yet another new cloud platform, but missed the more important insight into what makes this product different from the virtualization we all know so well.

I wrote up my own take on the real change vCD represents in terms of organizational behavior, work flows, and approaches to managing mass virtualization. It was published this week on the VMware blog, so I must have been at least partially right. Go have a look and tell me what you think.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

How to Secure vCloud Director and the vCloud API

Posted on September 10, 2010 | Leave a comment

This year’s VMworld conference saw the announcement of VMware’s new vCloud Director product, a culmination of the vision for the cloud computing the company articulated last year and a significant step forward in providing a true enterprise-grade cloud. This is virtualization 2.0—a major rethink about how IT should deliver infrastructure services. VMware believes that the secure hybrid cloud is the future of enterprise IT, and given their success of late it is hard to argue against them.

vCloud Director (vCD) is interesting because it avoids the classic virtualization metaphors rooted in the physical world—hosts, SANs, and networks—and instead promotes a resource-centric view contained with the virtual datacenter (VDC). vCD pools resources into logical groupings that carry an associated cost. This ability to monetize is important not just in public clouds, but for private clouds that implement a charge back to enterprise business units.

Multi-tenancy is a basic assumption in the vCD universe, and the product leverages the new vShield suite to enforce isolation. Management of vCD is through the vCloud API, a technology VMware introduced a year ago, but which has now matured to version 1.0.

The product vision and implementation are impressive; however, a number of security professionals I spoke with expressed disappointment in the rudimentary security and management model for the vCloud API. vCloud is a RESTful API. It makes use of SSL, basic credentials and cookie-based session tokens as a basic security model. While this is adequate for some applications, many organizations demand a more sophisticated approach to governance, buttressed with customized audit for compliance purposes. This is where Layer 7 can help.

Layer 7’s CloudSpan virtual gateways are the ideal solution for protecting and managing the vCloud API, vSphere, and vCloud Director. CloudSpan provides an intuitive, drag-and-drop interface for securing vCloud services and providing the visibility the modern enterprise demands. Do you need to protect the interface with 2-factor authentication? A few simple key clicks and you add this capability instantly—to a single API, or across a group of similar services. The CloudSpan policy language gives administrators the power to customize the access control and management of vCloud to incorporate:

  • Authentication against virtually any security token (SAML, Kerberos, X.509 certificates, OAuth, etc).
  • Cloud single sign-on (SSO).
  • Fine grained authorization to individual APIs.
  • Fully customizable audit.
  • Virtualization and masking of APIs.
  • Versioning of REST and SOAP APIs beyond vCloud basic versioning.
  • Augmentation and extension of existing vCloud functions.
  • Transformation of any GET, POST, DELETE, and PUT content.
  • Orchestration to create new APIs
  • Validation of XML structures such as OVF containers.
  • Threat detection, including threats embedded in XML OVF files.
  • Automatic fail-over between hosts.
  • Mapping between SOAP and REST
  • JSON Schema validation
  • Management of federated relationships.
  • Live dashboard monitoring of API usage.
  • etc

Figure 1: vCloud Director API management and security with CloudSpan from Layer 7.

CloudSpan is the basis of real cloud governance. In contrast to other solutions that run as third party services or attempt to broker security from you own local data center, CloudSpan runs as an integral part of the vCloud Director environment. CloudSpan runs as a VMware virtual image that is easily incorporated into any VMware virtual infrastructure. At Layer 7,we fundamentally believe that the security, monitoring and visibility solution for cloud APIs must reside inside the cloud they are protecting—not off at some other location where the transactions they proxy are subject to attach as they traverse the open Internet. Local integration of the security solution as an integral part of the cloud infrastructure is the only way to properly secure cloud APIs with sophisticated access control and to offer protection against denial-of-service (DoS) attacks.

For more information about how to secure and manage the vCloud API and vCloud Director, please see the cloud solutions page at Layer 7 Technologies.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , , , , ,

Public vs. Private Clouds

Posted on September 10, 2010 | Leave a comment

Christian Perry has an article in Processor Magazine that I contributed some quotes to. The article is about the ongoing debate about the merits of public and private clouds in the enterprise.

One of the assertions that VMWare made at last week’s VMWorld conference is that secure hybrid clouds are the future for enterprise IT. This is a sentiment I agree with. But I also see the private part of the hybrid cloud as an excellent stepping stone to public clouds. Most future enterprise cloud apps will reside in the hybrid cloud; however, there will always be some applications, such as bursty web apps, that can benefit tremendously from the basic economics of public clouds.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

The Top 50 Cloud Bloggers

Posted on August 27, 2010 | Leave a comment

I’m happy to learn that I’ve made Cloud Computing Journal’s list of the Top 50 Bloggers in Cloud Computing.

Leave a comment

Posted in Layer 7 Technologies

Tagged ,

What, Me Worry?

Posted on August 26, 2010 | Leave a comment

According to Yahoo news Infrastructure Services Users Worry Less About Security. This article references a Yankee Group study that found although security remains a top barrier slowing the adoption of cloud services in the enterprise, most companies that have adopted Infrastructure-as-a-Service (IaaS) worry less about security once they begin using the technology.

Once they’ve made the leap into the cloud, the article suggests, users conclude that the security issues aren’t as significant as they had been led to believe. I find myself in partial agreement with this; the industry has created a level of hysteria around cloud security that isn’t necessarily productive. Taking pot shots at the security model in the cloud is pretty easy, and so many do—regardless of whether their aim is true (and for many, their aim is not).

Nevertheless, my interpretation of these results is that they are uncovering less a phenomenon of confidence genuinely earned and more a case of misplaced trust. The article makes an interesting observation about the source of this trust:

Twenty-nine percent of the companies in the survey viewed system integrators as their most trusted suppliers of cloud computing. But among early adopters of IaaS, 33 percent said they turn to telecom companies first.

Do you remember, back around the turn of the century, when large-scale PKI was first emerging? The prevailing wisdom was that state-sponsored PKI should be administered by the post offices because this organization above all was perceived as trustworthy (as well as being centralized and a national responsibility). Hong Kong, for instance, adopted this model. But in general, the postal-run PKI model didn’t take hold, and today few federal post services are in the business of administering national identity. Trust doesn’t transfer well, and trust with letters and packages doesn’t easily extend to trust with identity.

Investing generalized trust in the telcos reminds me of the early PKI experience. The market is immature, and because of this so too are our impressions. Truthfully, I think that the telcos will be good cloud providers—not because I have an inherent trust in them (I actively dislike my cell provider on most days), but because the telcos I’ve spoken to that have engaged in cloud initiatives are actually executing extremely well. Nevertheless, I don’t think I should trust them to secure my applications. This is ultimately my responsibility as a cloud customer, and because of I can’t reasonably trust any provider entirely, I must assume a highly defensive stance in how I secure my cloud-resident applications.

I hope my provider is good at security; but I need to assume he is not, and prepare myself accordingly.

Leave a comment

Posted in Layer 7 Technologies

Tagged , , ,

My New Book, Cloud Computing: Principles, Systems and Applications, is Now Available

Posted on August 12, 2010 | Leave a comment

I’m happy to announce that I have a paper published in a new cloud computing textbook published by Springer. The book is called Cloud Computing: Principles, Systems and Applications. The paper I wrote is Technologies for Enforcement and Distribution of Policy in Cloud Architectures. If you click on the link you should be able to preview the abstract and the first few pages online.

The editors of the book are Dr. Nick Antonopoulos, who is Professor and Head of the School of Computing at the University of Derby, UK and Dr. Lee Gillam, who is a Lecturer in the Department of Computing at the University of Surrey, UK. I participated on the review committee for the text, and Drs. Antonopoulos and Gillam have pulled together an excellent compilation of work. Although this book is intended as an academic work of primary interest to researchers and students, the content is nevertheless very timely and relevant for IT professionals such as architects or CTOs.

Lately much of my writing has been for a commercial audience, so it was nice to return to a more academic style for this chapter. I’ve carefully avoided book commitments for the last few years, but the opportunity to publish in a Springer book, a publisher I’ve always considered synonymous with serious scientific media, was just too good to pass up. Every book project proves to be more work than the author first imagines, and this was no exception (something to which my family will attest). But I’m very happy with the results, and I hope that this text proves its value to the community.

Leave a comment

Posted in Layer 7 Technologies

Tagged , ,

Azure Broke My Booth

Posted on June 1, 2010 | Leave a comment

“Get outta the way—it’s coming through.”

I love the New York accent. I think it is at its most characteristic when roared by an irritated teamster, struggling with a near-undeliverable load that was late even before the scheduled pick-up time.  In this instance, the package is a self-contained Microsoft Azure Compute Center, on its way to its temporary home in the middle of the show floor during April’s Cloud Computing Expo in the Javitts Center. Normally this wouldn’t be a problem, but by this time it was the 11th hour of vendor setup, and just about everyone on the show floor was done, leaving very little room for heavy plant to deliver a package the size of a modest RV.

The coming of Azure.

Small vendors in the tech industry have few options when juggernaut like Microsoft moves into their space. Maneuverability is always the best defense. A similar strategy is to be recommended when Azure, well, drives down the main hallway of the show floor. Not surprising, it left in its wake a volatile combination of consternation, amusement, disorganization—and a healthy determination to still win on the new business front opened up in the cloud.

The wake of Azure.

Everyone says that cloud is disruptive, but this was a little too literal for my taste.

Once delivered, an army of Microsoft staff swarmed over the box and quickly packed it with a dense array of Dell servers connected by a thick tangle of red patch cables. When all was said and done, it was hard not to be impressed with this rapid marshalling of technological firepower.

Azure data center.

Techs who work in the cloud.

Microsoft designed the Azure data center to be modular, self-contained and very green. The trick the company has employed here is to make use of outside air-cooling running through the unit to avoid expensive conventional air conditioning systems, which can typically account for half of the power consumption in a traditional data center.

The Azure center has three rooms. The air flows passes through each one, cooling the racks of equipment that separate the second and third rooms. If ambient air temperature rises too much to make this effective, normal HVAC takes up the slack; but the overall power consumption is considerably reduced.

Air intake zone.

Middle zone, showing server racks.

I’m not sure that it was a wise choice to light the middle zone in blue.

Each data center is weather hardened because Microsoft intends it to be deployed out-of-doors, and ideally in a location offering a naturally cool climate. Each unit is small enough so that it can be easily deployed in farms that integrate vast numbers of commodity servers. This is as close to cloud-in-a-box as you are ever likely to see.

Leave a comment

Posted in Personal

Tagged , ,