De-nebulating "Cloud Computing"

While catching up on my reading (which is pretty daunting when Google Reader tells me that my "high priority" collection of virtualization and utility computing feeds is over 1000 new posts), I came across Alistair Croll's nine sector view of cloud computing.

Taking a look at that post, prompted me to revisit John Willis' post from February and the wealth of high quality comments he elicited. John's post, and now Alistair's, represent great "locations" in the blogosphere at which knowledgeable advocates and the loyal opposition convene to bring clarity to the conversation. What I also enjoy is that I've had and continue to have the privilege of knowing personally and working with so many of the participants.

I'm struck, as well, by what seems to be a gap ... or maybe several ... in their lists. And, being an amateur taxonomist and incorrigible entrepreneur, I view a gap as a puzzle to be solved and a potential market to be served. I'll take the time over the next few days to reflect on the gaps, and then pose a couple of questions and see if I can add to the fun. I'll be gratified if the result adds to the conversation established by John and Alistair, as well as those raised by James Urquhart, Greg Ness, Bert Armijo, Dave Durkee, and Rich Wellner (among others). (I'm most appreciative of Bert's most recent posts as well as the fun poked at the Cloud Computing Expo's Twenty Experts Define Cloud Computing piece.)


Inside the Cloud: 9 Sectors to Watch - GigaOM

There’s already a ton of activity taking place in the cloud computing space, so much so that it can be hard to know who to watch. In many cases, it’s too early to pick winners. But there are distinct sectors of the IT industry that are particularly well suited to the on-demand, pay-as-you-go economics of cloud computing. Here are eight segments — and one company that’s a segment all its own — that we’re tracking closely.

MyCMDB - the CMDB as a Wikipedia Plug-in to FaceBook

At the risk of piling on, I'll join the refrain regarding the recently announced MyCMDB from Managed Objects. As described, it makes no sense to me. I can't for the life of me figure out how one uses social networking and the "principles of Web 2.0" to solve the CMDB data accuracy and completeness problems.

myCMDB - Managed Objects

... Managed Objects myCMDB™ solves CMDB data accuracy and accessibility issues incumbent with today's CMDB implementations. By integrating principles of Web 2.0 and social networking into a new web-based application, myCMDB delivers role-based “communities” where users can more easily and effectively view and interact with CMDB data – and other CMDB users as well. ...

Why Cloudware and why now?

In September of last year, as I was preparing (mentally and emotionally) to get Replicate started on its current path, I considered issues of portability and interoperability in the virtualized datacenter. I posted a few comments about OVF but one in particular drew the attention of Bert Armijo of 3tera.

At that time, Bert indicated that he thought it "... too early for a standard,...", with a (perfectly arguable) claim that standards are often "... a trade-off to gain interoperability in exchange for stifling innovation." He went on to say that "(w)e haven't adequately explored the possibilities in utility computing." He then provided a critique of OVF. (Whether I agree with that critique or not is immaterial to this post, and the subject for another time.)

At the end of June, 3tera announced their Cloudware vision for a standards-based interoperable utility infrastructure. Since the arrival of Cloudware, there have been a number of venues at which "cloud computing" and interoperability has been on the minds of the cognoscenti... Structure08 and Velocity being the most heavily covered. In the past few weeks, there have also been claims, and counter-claims of support... and to be fair, the disputed claims of support were made by others, not by 3tera.

So... what's changed, Bert? Why is "now the time" to create the standard for interoperable cloud computing? What's happened in 9 - 10 months that has so changed the field, that these efforts don't also stifle innovation?

Simon Wardley has also reiterated his position most recently at OpenTech regarding substitutability between utility providers (which includes portability and interoperability) ... an outcome which he maintains will require not just open standards but open source standards. When compared to the Cloudware initiative, I can more easily support this "pure form" of standard creation. The commercial success of pure, open source standard approach for utility computing, however, requires a reasonably well-established reference implementation or some acknowledged leader as the de facto standard. (Again, the topic for yet another post.)

That said, Simon and I could not be more in agreement when he states that "... standards will emerge through competition and adoption rather than committee." I'd probably add to that statement that such standards don't (often) emerge as a result of the smaller, fragmented commercial interests banding together to form a "composite" competitor to a market leader.

I have to agree with John Willis when he states that "...what we today call the 'cloud' will really just evolve into a complex IT infrastructure ... which will link services from a myriad of inter connected inter-operable applications spanning internal legacy applications, internal/external virtual resources, private clouds and public clouds." (Full quote provided below.)

Head In The Clouds | 3Tera

Well I’m happy to say that I think the time has come when we have enough companies in the space working on creative products and services that a standard can progress productively. We’ve begun to share our vision for what that standard can achieve, it’s called Cloudware, and covers not only AppLogic but a whole new way to approach infrastructure.

john m willis ESM Enterprise System Management Blog

It is my belief that what we today call the “cloud” will really just evolve into a complex IT infrastructure of the future, and in the end, will just be referred to as infrastructure. There is no doubt the traditional IT landscape of the last 20 years is going through a substantial transformation on the same scale as what happened in the mid 1980’s as mainframe resources shifted to distributed computing and client server architectures.

This new complex IT infrastructure of the future will link services from a myriad of inter connected inter-operable applications spanning internal legacy applications, internal/external virtual resources, private clouds, and public clouds. For example, I can envision a scenario where a business service runs internal behind-the-firewall VMware instances for parts of an application and possibly inter-operates with resources on Amazon’s EC2, Flexiscale, Google’s App Engine, or a player to be named later. These same business services might also use resources from private internal clouds running 3Tera’s Applogic, IBM’s Blue Cloud, or Cassatt’s Active Power Management. Like it or not, Microsoft will have resources involved in this new IT management infrastructure of the future. Any interoperability discussion will need to include them as well. ...

Jurisdiction - where in the world is that VM?

James Urquhart has an interesting post on a topic that's fascinated me for a long time -- namely, under what legal jurisdiction does a computed "transaction" take place?

The problem first came to my attention (sometime during the last ice age) with the advent of ATM machines with services offered by national banking and credit card concerns. If I withdrew money or paid a credit card bill at the ATM, exactly where (for the purposes of the relevant legal jurisdiction) did the transaction take place? Banking laws being what they are, the industry got around a host of problems by declaring an ATM machine to be a "branch bank", in order to make sure that the geographic location at which the financial transaction took place made it clear for purposes of law.

The days of dumb terminals and thin client computing brought with it a boatload of jurisdictional issues. And now, cloud computing and virtual server migration add to the puzzle. It's a great problem on which to reflect. James' discussion is well grounded and presents the salient issues in a very nice way.

The Wisdom of Clouds: "Follow the law" computing

A few days ago, Nick Carr worked his usual magic in analyzing Bill Thompson's keen observation that every element of "the cloud" eventually boils down to a physical element in a physical location with real geopolitical and legal influences. This problem was first brought to my attention in a blog post by Leslie Poston noting that the Canadian government has refused to allow public IT projects to use US-based hosting environments for fear of security breaches authorized via the Patriot Act.

Kudos to Vanity Fair. Nice job!

Thanks to a tweet from Paul Kedrosky, I got to end the evening reading (and listening to) a really fun, oral history. They had me at the lead-in picture of Len Kleinrock, Paul Baran and Larry Roberts.

How the Web Was Won: Entertainment & Culture: vanityfair.com

To observe this year’s twin anniversaries, Vanity Fair set out to do something that has never been done: to compile an oral history, speaking with scores of people involved in every stage of the Internet’s development, from the 1950s onward. From more than 100 hours of interviews we have distilled and edited their words into a concise narrative of the past half-century—a history of the Internet in the words of the people who made it. ...

Paul Baran: At the beginning there was a different attitude than today. Now everyone is concerned about making money, or reputation. It was different then. We all wanted to help one another. There was no competition, really, on most things. It was a total open flow of information. There were no games. There are so many others who did equally good work, and their names are just forgotten. We were all a bunch of young whippersnappers.

Bob Metcalfe: It was nerd city.

Critically Under-damped Oscillations

Chris Hoff has a great, common-sense post on security and where in the data center it will eventually end up residing.  (If you don't want me to give away the plot, go directly to the post.  Don't read the snippet I've enclosed.)

Along with the "dampened oscillation" graphic that he alludes to (but doesn't actually draw), I'd like to add my two-cents about where security resides when dealing with server virtualization, and the network.  Server virtualization, and particularly hot migration (likeVMware's VMotion), has definitely changed the relative workload and tsuris (a technical term of art) experienced within the data center by the persons responsible for, respectively, server administration, storage administration, and network administration. 

In the days before widespread adoption of server virtualization, making a new application "production ready" was a PITA (another term of art) for the server admin, who had to specify servers, install the apps, move the appropriate data for use by the apps, test, stage, re-test, etc. 

The storage admin had a modest workload, requiring attention to allocation of storage space, setting quotas, setting policies, ... but once done at the planning stage, required modest tweaking thereafter. 

The network admin had it easiest (IMHO).  Over the course of the weeks (if not months) it took to arrange for a new application to be put into production, the network admin might have to allocate ports, set VLANs, set policies, and be present when doing the lash up with the network equipment.

Fast forward to the day when a new application goes through development, test, staging and cut-over into production ... ALL using server virtualization.  Besides the fact that the time horizon for the production deployment has likely been compressed from weeks to days, the relative workloads as this cut-over approaches is radically different from the one described above. 

• The server admin has a relative cakewalk: extend VME cluster, copy the image, or use a hot migration to herd the app into the new spot. 
• The storage admin has pretty much the same level of work in allocating space, setting quotas, etc.,  and will soon be using SAN "hot migration" (e.g. VMware's Storage VMotion).
  
• The network admin, however, just got a rude awakening.  If he's got SLAs to which his organization must commit, the network admin must allocate ports, set VLANs and VLAN policies, set up NIC teaming in both the virtual switches and physical server access switch, and set up trunking on the vSwitch and pSwitch.   Oh, and by the way... it has to be "right" for every physical server in the data center to which a virtualized application MIGHT migrate in the future.
  

Holy smoke, Chris!  It's not a single, oscillating signal.  It's (at least) three of 'em.  (... and if I were a better graphics hack, I'd drop in a jpg right about now.)

Rational Survivability: Security Will Not End Up In the Network...

... Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively.  From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...

Is Co-Administration the Answer?

Rick Vanover, blogging at TechRepublic's Network Administrator site, suggests a solution to the problem of overlapping between the span of administrative control normally provided to the network admin, and that required of a VM server admin.  It's a solution that might appeal to a network administrator, but I'm dubious.  I'd very much like to hear from the network crowd as to how this might work in practice.

Here's my take.  In our investigations at Replicate, we've noted that VM admins are often unwilling to dig into the network management systems. (There are a number of reasons, which we won't go into here.)  So, how would a network admin view this solution?  These seem to be the implications of Vanover's approach:

• the network admin must be cross-trained in the use of the VME's management system (e.g. VMware's Virtual Center or Citrix' XenCenter)
• the network admin is required, at installation setup, to establish consistent configurations on the virtual switches and (in separate management system) the physical switches.
• The configuration settings on the vSwitches are supposed to remain inviolate and untouched by the VM admin in order to prevent configuration problems.
• the network admin thereafter is relegated to a passive, read-only audience for the VM management system reports, unless ...
• when there is a physical network issue (a problem or need to reconfigure), the network admin is reinstated with the necessary privileges to make those changes.

This sounds workable, at most, for a short period of time, an installation that changes almost never, or a very small installation.

Co-Administration is the new virtualization endpoint | Network Administrator | TechRepublic.com

Almost every organization has embraced some amount of virtualization, and the network has surely been a hot topic as a virtual environment scales upward. Most virtual host systems (VMware ESX, Citrix XenServer, etc.) offer host-based switches that implement 802.1Q tagging on the ports to the virtual machines. This poses a unique question: Who administers the virtual switch when the network and server administration are handled by different groups?

...
One creative way to solve this dilemma is with a co-administration approach. This would give the network engineers access to the virtual environment for configuration during a change and read-only access for ongoing checks of configuration and for assurance that a virtual machine is not breaking any network rules, such as having a virtual network adapter on two interfaces where one is a secured or external network. In most situations, the network administrator has no visibility into the configuration of the network within virtualization installations, and the co-administered approach can change that.   ...

VMware Server Virtualization, Compliance & Data Security

This is Catbird's announcement of the new assessment "service." It seems couched primarily in the context of "making you safe" when doing P2V.

While a number of the "virtsec" vendors address compliance, I've noticed a particular increase in the use of this theme with new product announcements over the past weeks. The compliance boogeyman is being hauled out by a number of vendors to make sure potential customers remember that they may need special assessments with respect to HIPAA, PCI DSS, et. al. when using VMware server virtualization.

This theme was apparent in EMC's announcement of the new Application Discovery Manager 6.0 offering, which works in concert with other EMC SMARTS offers ... particularly their newly announced IT Compliance Analyzer -- Application Edition.


Catbird Offers Industry's First-Ever Comprehensive Virtual Security Assessment

SCOTTS VALLEY, Calif.--(BUSINESS WIRE)--Catbird, the pioneer in comprehensive security for virtual and physical networks and developer of the V-Agent™ virtual appliance, announced today the industry’s first and only state-of-the-art Virtual Infrastructure Security Assessment (VSA). Catbird’s VSA helps IT administrators identify and close the potential gaps in security and compliance created in the move from “P to V”. The 30-day assessment includes a thorough security analysis, detailed reports with actionable intelligence and a comprehensive plan to mitigate risk and protect critical virtual systems, networks, desktops and processes.

Catbird’s VSA combines traditional security assessment methodologies with unique virtual infrastructure telemetry gathered through Catbird’s stateless, non-invasive V-Agents to deliver robust scrutiny previously unachievable with existing mechanisms. The VSA identifies the scope and magnitude of the virtualization compliance gap through qualitative and quantitative analysis of the new architecture’s impact on change control, separation of duties, network visibility and segmentation, and secondary validation.

VirtSec ... the real issue is Management (... maybe.)

Jon Oltsik at the CNET News blog may be oversimplifying the issue of virtsec.  Nope.  Take that back.  He's DEFINITELY oversimplifying the issues of virtual server security.  It's not that he isn't correct in laying the issue squarely at the feet of management and security controls, but it's just too facile to make that the one and only issue of virtualization security.  I'm rather certain that I'm not the only other person in the industry with this point of view.  (... and I'm not referring only to the vendors of v12n security technologies like Blue Lane or Catbird Networks. )

Update:  Guess I was right about the reaction.  Here's one.

The real issue around server virtualization security | Tech news blog - CNET News.com

... So what is it about server virtualization that should really keep chief information security officers up at night? A more pedestrian worry--lack of control. In a virtual server world, IT administrators can clone virtual hosts, move them around, or turn them on and off by accident or with malicious intent. What happens when an IT administrator moves a critical database server instance without re-configuring application servers or the network? How about when someone mistakenly adds a test server to the production network? The security "uh-oh" possibilities are endless.

The real threat here is that server virtualization takes on a life of its own without proper management and security controls. This is why VMware is investing in its virtual infrastructure, Citrix is keen on its Citrix Delivery Center, and Microsoft is pushing its System Center Virtual Machine Manager (SCVMM) architecture. Systems and operations management vendors like BMC Software, CA, Hewlett-Packard, and IBM are also paying close attention and adding virtualization capabilities to tools, processes, and services. Given its 30-plus years with mainframe virtualization, IBM for one has seen this movie before.  ...

MSFT to Craft it's own VMsafe?

Virtualization.info has a short but interesting post, which refers to a parenthetical comment from Chris Hoff which might imply that MSFT is considering / working on a VMsafe-like framework.

Is Microsoft working on a VMsafe-like framework? | virtualization.info

...
So far Microsoft didn't took an official position about the topic but virtualization.info had the opportunity to speak with several representatives who clearly stated how carefully the company is evaluating the security implications of a VMsafe-like approach.

Nonetheless Microsoft may be working to build the internal know-how needed to achieve the task.

Just two months ago in fact Microsoft acquired a small security firm focused on rootkit detection called Komoku.

As Christopher Hoff, Chief Security Architect at Unisys, recently discovered, Komoku did some research in the past, presenting a solution for Xen where virtual machines can do self-diagnosis and self-healing as well as learning to protect against subsequent attacks. ...