Battling for the Title of Cloud VME

According to eWeek and Shannon Snowden, Citrix Systems and Xen.org will be developing a 'full-blown cloud computing platform that will rival VMware's vCloud offering.' I'm not yet sure what this means, because there are still piece parts of VMware's vCloud (particularly the details of the vCloud API) that are yet to be revealed. That said, the interview on Snowden's Virtualization Information seemed to have the right elements: portability through support of OVF (YAY!!), commitment to DMTF standards, XenMotion workload migration between datacenters and clouds, extended virtual networking infrastructure, and cloud-scale virtual storage infrastructure.

We discussed the the expected impact to Citrix and XenServer. Both Simon and Ian (Pratt) think that having a bigger footprint of XenServer is good for Citrix and ISVs in general because the (Xen Cloud Platform) XCP won’t necessarily be focused on the management layer, but the foundational components to having a stable, functioning cloud platform. After all, Citrix is already providing XenServer for free.

In fact, the orchestration and management capabilities of open source projects Eucalyptus and OpenNebula.org as well as commercial offerings from vendors and cloud providers will integrate with XCP since these projects are Xen-based already.

Simon said the plan is for Citrix Essentials to work with XCP, so this makes business sense to me. Citrix gets more XenServer in organizations that already are running Xen to power their clouds and have an opportunity to sell more Citrix Essentials.

For me, the early prize in the contest between VMware and Citrix is the cloudbursting title. This would incorporate three elements:

1. The extended safety cordon required for expanding a private datacenter into the cloud of an IaaS, most likely based on a managed VPN like CohesiveFT's VPNCubed or Amazon's VPC
2. The ability to utilize hot migration -- vMotion or XenMotion -- as a basis for VM movement.
3. A coordinated data management facility -- almost a customer directed content management network -- for identifying, moving and then utilizing data at the most appropriate location as part of the workload migration control.

Cloud Computing

PCI DSS Wireless Data Guidelines? Not so much.

PCI Security Standards Council Issues PCI DSS Wireless Guidelines

The retail industry has, for some time, been exercised about cardholder data being extracted feloniously from wireless networks. But, apparently they won't get much in the way of additional reassurance or a path to safety with the PCI SSC Wireless Guidelines which were issued last week by the PCI SSC.   

“It contains no changes to the PCI standard at all and the only thing really interesting about it is that they felt the need to issue it,” said David Taylor, founder of the PCI Knowledge Base.

'Security by Compliance Is No Longer Working.' Did it ever?

A number of people much smarter about data security than I have often made the point that one has to distinguish between passing a compliance audit and actually being secure. It reminds me of an education system that places so much emphasis on passing a competency test that the material being "learned" is completely secondary.

So, when I see reports of presentations like this, it makes me sad. It also makes me concerned for those who have their personal or corporate data protected by organizations focused on 'passing the test' as opposed to 'absorbing the material and putting it into action.' The point that Pironti makes in the presentation SHOULD be obvious.

If organizations continue to focus on security by compliance, he argues, the adversaries will continue to win as their attacks become more effective and more damaging. “Compliance can be a good starting point for securing information infrastructure and data if an organization has not put anything in place previously, but it cannot be the end point of the conversation.”

However, I'm not even sure what he means when he goes further to state that "(w)e need to stop thinking about information security and start thinking about information risk management.” Then there's

“The technology is just a vessel for the data and has little value by itself. By focusing on the data, enterprises will be better prepared for the challenges that they may face from any adversary”

We should always be sure to consider that the 'map' is not the same as the 'territory.'

Dealing with Data During Cloudbursts

I enjoy reading Joe Weinman's posts. And today's post at GigaOM is no exception. He does a great job organizing the problem of data when considering the architecture of cloudbursting. Joe's post has prompted me to break my 'radio silence' of a few months.

In 4 1/2 Ways to Deal With Data During Cloudbursts, Joe calls out a number of architectures and discusses some of the considerations that impact the choice of a relevant scenario. I won't try to recreate the architectural strategies, but I was taken by how relevant these same constellations are when addressing some of the more advanced considerations of data clouds, peripatetic workloads and data governance.

1) Independent Clusters: This one is pretty straight forward and Joe's characterization of "minimal communication and data-sharing requirements between the application instances running in the enterprise and cloud data centers" makes sense. The data-specific considerations in using the cloud service resources tend mostly to center about providing the user with a uniform (or at least acceptable) standard of data security.

2) Remote Access to Consolidated Data: This strategy is called out for those situations in which application instances running in the cloud require access to a single-instance data store, or data store(s) which must for various reasons remain within the confines of the enterprise data center.

Notice my 'or' in the last sentence. Besides architectural requirements that require a single-instance data store, the reality of enterprise IT is that data stewardship requirements often require the authoritative datum to remain within the enterprise data center.

3) On-Demand Data Placement: Weinman points out that

...if I/O intensity and/or network latency are too high for remote access, then any needed data that isn’t already in the cloud must be placed there at the beginning of the cloudburst, and any changes must be consolidated in the enterprise store at the end of the cloudburst. The question is: “How much data needs to get where, and how quickly?”

This is clearly the right question to ask first. If a large data set is required to be in close proximity to the cloud service application instances, this may require enterprise IT to rely on a number of tactics to reduce delay in commencing cloud-based operation: large bandwidth networking services, possibly made available on-demand; advanced WAN optimization technologies (e.g. data deduplication).

As in my consideration of the remote access to consolidated data, on-demand data placement may imply a requirement for additional measures to deal with compliance and data stewardship, therefore calling on the purveyors of fast file transfer or on-demand, adjustable data transport services to offer a form of 'in-flight' data mediation services. Alternatively, the enterprise data center may be called on to implement dataset virtualization approaches or data masking systems in order to remain in compliance.

4) Pre-positioned Data Placement: He makes the point that pre-positioning "... adds additional costs as a full secondary storage environment and a metro or wide-area network must be deployed.'

4.5) BC/DR Plus Cloudbursting: This was the point at which I chortled with recognition.

Thanks, Joe! I've been looking for the context in which to make this point for years. This has been a soapbox of mine for a long time ... almost since the notion of utility computing (now 'cloud computing') started circulating as a meme.

In addition to using cloudbursting as the premise on which to incorporate business continuity and disaster recovery costs into calculation, I'd like to throw in at least one more, in hopes of getting this to 4 3/4 ways to deal with data + cloudbursts. Please bear with me... this is work in progress.

Data Governance, Data Stewardship and Data Residency:

Many of the issues relating to data in conjunction with cloudbursting are not new. When you stop to think about it, the 4 1/2 ways that Weinman outlines are variants of a generic data sharing problem across organizational boundaries. If we add any form of data sharing to the real cost of the enterprise data center, the issue we must address is that of Data Stewardship. It's been defined in various places, but here's one of my favorites since it places it in context with Data Governance.

Data Governance: The execution and enforcement of authority over the management of data assets and the performance of data functions.

Data Stewardship: The formalization of accountability for the management of data resources.

Data governance in the enterprise data center may require a 'complete' record to always be under the stewardship of the enterprise, and never at risk of being located in a different legal jurisdiction (e.g., the details of a financial transaction must remain in the immediate and direct control of the responsible financial institution). Examples abound, but one can point to financial and personal information which must, for compliance reasons, never leave the geographical borders of a country with stringent data protection regulation n (e.g., not in that cloud-resident datastore in India or Switzerland).

In these cases, the implications of cloud bursting on data may require the addition of data masking/data obfuscation, or applications which are demonstrably proven to operate on meta-data of other kinds without jeopardizing data stewardship compliance. This particular aspect of Data Stewardship is sometimes called the Data Residency Dilemma.

Getting to 4.75 - Data Governance Plus Cloudbursting: Even if, in addition to taking responsibility for data mirroring or replication to provide Business Continuity / Disaster Recovery, the enterprise is constrained from using Data + Cloudbursting because of the costs and constraints of data governance, the question arises: Are there services / technologies that can be provided by the *aaS supplier which can be brought to bear? To me, this appears to be a question of data center pragmatics rather than strictly an issue of recalculating the breakeven point.

There are many technologies for data sharing, some of which come into play for Data + Cloudbursting. When the solution requires extending the 'boundaries' of the enterprise in both the application and data domains (as we do with cloudbursting), the first question has usually been constructed as: Should the shared data reside inside or outside the firewall?

Elastic perimeter technologies: For cloudbursting with data 'leaving the building', elastic virtual private networks (such as CohesiveFT's VPN-Cubed , particularly their Data Center to EC2 version) address the underlying, network-oriented issues of wandering data.

Data masking & obfuscation: Conventional data encryption of "data at rest" does not satisfy the safety requirements of most enterprises when data is placed outside the corporate data center. Because the data must be decrypted when “in use” by a cloud-resident application image, conventional disk or file encryption does not protect against a compromise of or misuse by any systems processing the data. Suitably transformed portions (i.e. fields) can be used that provide integrity of the source data required for the application by means of data masking or obfuscation.

Meta-data & data virtualization: We're now starting to see, usually in conjunction with specific SaaS offers, data 'proxy' servers and other means that allow the enterprise to retain specific data elements 'locally resident' within the data center rather than residing 'in the clear' within a data cloud. What we can expect to see within the next year are solutions that provide this type of offer associated with Master Data Management technologies, or enhanced data-in-motion services provided by cloud service providers at all levels -- Iaas, PaaS and Saas. The most immediate utility of these offers will be for enterprises wishing to make real use of cloudbursting.

---

Joe Weinman broadened the definition of the real costs of an enterprise data center and has shown clearly how cloudbursting + pre-positioned data can contribute to addressing the BC/DR costs. Like BC/DR, the enterprise data center has to consider data governance in the context of interorganizational data sharing. Cloudbursting is just one form of data sharing, and presents the innovative cloud service an opportunity to provide generic solutions to data sharing governance for the enterprise.

Truth in advertising: In two of my recent entrepreneurial adventures (Univa and Safe Data Sharing) as well as two for whom I've acted as an advisor (Perspecsys and Replicus ), the problems of data stewardship and anticipatory data transport (e.g. moving/replicating the dataset well in advance) all come into play.

Declan on the 'Informed P2P User Act'

Sometimes I marvel at the gap between technology's uptake and the ability of the legal system to address it with some level of cluefulness. For so many reasons, the approach proposed by this legislation is toxic.

P2P bill could regulate Web browsers, FTP clients

The U.S. House of Representatives has scheduled a hearing Tuesday to examine a bill that would force peer-to-peer applications to provide specific notice to consumers that their files might be shared.

The hearing before a House Energy subcommittee comes about a month after reports that specifications about the helicopter used as Marine One may have been leaked through a P2P network. Meanwhile, a second House committee is probing whether LimeWire or another P2P application was responsible.

Tuesday's hearing is expected to focus on a bill introduced in March by Rep. Mary Bono Mack, a California Republican. The catch: while it appears intended to target only P2P applications, the measure sweeps in Web browsers, FTP applications, instant messaging utilities, and other common programs too.

Bono's Informed P2P User Act says that it will be "unlawful" for P2P software to cause files to be made available unless two rules are followed. First, the utility's installation process must provide "clear and conspicuous notice" of its features and obtain the user's "informed consent." Second, the program must step through that notice-and-consent process every time it runs.

Her bill defines P2P applications as software that lets files be marked for transfer, transferred, and received. (The exact wording: "to designate files available for transmission to another computer; to transmit files directly to another computer; and to request the transmission of files from another computer.")

Chris Wolf Throws Down the Gauntlet

Chris Wolf of Burton Group is another voice in the group that calls for standards with respect to virtualizion's impact on security and compliance audit.  He restates the call from auditors looking for guidance, and a (typical ?) response from the vendor community to the effect: It's not my job.

So, he's much happier now that VMware has apparently made it their concern.

VMware Launches Site for Security and Compliance Auditors at ChrisWolf.com

I’m once again going to repeat my request to you - please get serious about providing guidelines and clarity for security auditors. They want your help. Without it, some will inevitably revert to enforcing full physical isolation within their organization’s virtual infrastructure, something which reduces consolidation density and undermines your TCO arguments. What do you say? If you’re serious about being a production-class virtualization platform, you need to publicly demonstrate how you are serious about security and compliance. The ball’s in your court.

VMware Gets Busy with PCI-DSS

Another interesting addition to the conversation regarding virtualization and PCI-DSS.  VMware has joined PCI, and we'll now see how they can improve the situation ...hopefully.

VMware makes the case for PCI DSS compliance

...Today, with a nod to millions of merchants worldwide that accept credit card payments, VMware Inc. announced that it has joined the Payment Card Industry Security Standards Council (PCI SSC) to incorporate awareness of virtualization into forthcoming versions of PCI regulations.

The company has also launched the VMware Compliance Center, a website dedicated to educating merchants and auditors about compliance in a virtualized environments, and the resource includes links to relevant white papers and webcasts.  ...

PCI DSS 1.2 and the On-going Conversation about Virtualization

While cruising through the feed-reader, I came upon Eric Sieberts recent post regarding the release of the Payment Card Industry’s Data Security Standard (PCI-DSS), version 1.2.  Eric notes that "... the specification dictates what must be done to secure a server that may store or process cardholder data, but if that server happened to be a virtual guest the host server would not be considered in the scope of the specification."  He then wonders (out loud) what could be the cause for this lack of attention (see quote below). 

This post reminded me of a conversation I had in August with Scott Loftesness of Glenbrook Partners, who arguably knows more about technology and the payment card industry than any five persons on the face of the planet.  He pointed me to this article as to why failure of PCI DSS 1.2 to address virtualization won't matter.  The author, David Taylor, is certainly no slacker.  He's the VP Data Security Strategies at Protegrity, as well as the founder of the PCI Knowledge Base, Research Director of the PCI Alliance, and a former E-Commerce & Security analyst with Gartner.  He takes a pragmatic approach, urging the reader to not wait for standards, and is pretty clear that he's a believer in the value of virtualization.  But there still seems to be some "buck passing."  He seems to be saying to the merchants who are subject to the PCI DSS standards:

• You need to prove to prove to an assessor that virtualization is secure enough to pass PCI audits.
• You need to cost-justify the amount of money required to do so.
• You need to push on your application software vendors to warrant the security and functionality of their products in virtualized environments ... something they, apparently, are often unwilling to do.

To the first point, it seems to me that best practices, standards and compliance tools or other means by which assessors can address the issue with uniformity are necessary.  There are a number of security specifications for virtual hosts (one of which Eric Siebert references in his post), which, if adopted, would be a reasonably objective basis for the standards and best practices.

With these standards in place, there seems little reason why the application vendors could not address the issues of security with respect to the use of virtualized infrastructure (the hosts and networks) as well as the virtualization of the applications themselves. 

This same tale is going to be told multiple times.  It's not just about PCI, but also will impact a standards and regulations like Sarbanes-Oxley, as well as (here it comes) the standards for data security and processing security in SaaS and IaaS environments ... Yes, I mean "cloud computing."  The PCI industry has a chance to do this right up front, without the buck passing.  I think I'm with Eric on this one.

Update:

Seems that while I was heads-down with Replicate's product launch, I missed Christofer Hoff's post on PCI, virtualization and clouds.  Once I get out from under, I'll get caught up and join the fray. 

Just to be clear -- I agree with most of the points that David Taylor has made, but to follow along with this reference to the OSI standards vs the TCP/IP development of standards ... what we're missing today is the moral equivalent of the TCP/IP definitions of best practice and standard.  If the PCI DSS folks won't step up to it, let's figure out who will.

PCI Data Security Standard updated, but still does not address virtualization — Server Virtualization Blog

I am puzzled as to why they would continue to ignore virtualization. After all, isn’t just about every company virtualizing in some fashion these days? Are the people that write the specification parameters just ignorant of what virtualization is, and that it has a direct impact on their regulations? Or are they just trusting that we are all securing our virtual hosts properly and there is no need to address them? If that’s the case then they have misplaced a critical amount of trust as I am sure there are a great many virtual environments that are not properly secured. Likewise, ignoring virtualization completely greatly reduces the effectiveness of their efforts to secure environments that deal with cardholder data. It’s essentially fortifying everything within a castle, but leaving the front gate open.

StorefrontBacktalk - Why PCI 1.2 Ignoring Virtualization Won't Matter

... The issue is more than just PCI compliance. It's about reliability, performance and data integrity. The point is that deciding whether to deploy virtualized servers broadly throughout the enterprise should not hinge on PCI compliance. Once the larger application and management issues are addressed to the satisfaction of the head of IT infrastructure, and the controls documentation is put in place, then PCI compliance becomes a minor issue by comparison.

Clouds, the Criminal Element and V12N to the Rescue

Christofer Hoff has an interesting post today that reminded me of a conversation I had with Steve Tuecke, Carl Kesselman and Ian Foster in 2004 when we were establishing Univa.  The conversation pointed out that grid computing was, with little fanfare, a fundamental basis for the botnets being implemented by the "bad guys", and that grid computing models would be the most reasonable basis on which to protect the enterprise from a significant portion of intentional security threats.

The challenge, as Hoff makes clear, is the capability of establishing appropriate (and appropriately malleable) policies that travel with the applications and data.  The malleability required is not likely to be found today in conventional provisioning and scheduling systems, nor in conventional configuration management systems. 

The industry is at the stage in the evolution of utility computing/cloud computing/grid computing where the flexibility and dynamic nature of virtualization has to be applied generously to the solution of infrastructure problems like security.  At Replicate, we've started to apply it to 21st century datacenter fault prevention and remediation, which is a challenge big enough to last us a while.  It's likely to bring us in contact with a number of the security issues Hoff raises, though from a different starting point.  I'll certainly be joining Hoff in watching companies grappling with this ... though Hoff's more likely to be on the playing field (BJJ mat?), and I'll be in the bleachers.

Rational Survivability: Cloud Computing: Invented By Criminals, Secured By ???

...
One of the obvious benefits of cloud computing is the distribution of applications, services and information. The natural by-product of this is additional resiliency from operational downtime caused by error or malicious activity.

This benefit is a also a forcing function; it will require new security methodologies and technology to allow the security (policies) to travel with the applications and data as well as enforce it.

Cloud Parsing

More clarity (and practicality) is emerging in the conversation regarding cloud computing. Joe Weinman's response to my previous post goes straight to the heart of it: there are reasons why the pure, platonic form of cloud computing just won't satisfy the requirements or live within the constraints placed on corporate production computing.

Dan Woods has a very good article this morning at Forbes.com in which he identifies three issues that will bring complexity to the cloud-based solutions. He identifies them as (1) governments, (2) network topology and (3) quality of service.

With all respect to his choices, I'd probably use different terminology when laying out the issues for a geekier audience. (The column IS entitled JargonSpy !!)

(1) government regulation regarding the jurisdiction in which certain kinds of data must remain is a big issue. But there are a whole slew of industry standards (such as PCI DSS) and just "best practices" that recommend keeping close watch on where data lives and where it's processed. Compliance with regulation, industry standard or corporate best practice is a more inclusive concept.

(2) the network topology issue is really about latency rather than speed. (See Weinman's Cloudonomics Rule #8)

(3) quality of service is a loaded term for those of us with networking backgrounds. Woods' use of the term makes sense to the general readership. In fact, it's an amalgam of service properties that seem to rest primarily on reliability, availability, performance and security. Thrown in for good measure, we need to consider connectivity and resilience of the cloud.

This article is heartwarming, in that it starts to add some texture and the appropriate measure of sophistication into the thinking around cloud computing. Thanks, Dan.

(Thanks to OnSaas for pointing out the article.)

Parsing The Cloud - Forbes.com

Cloud computing is a rich vein of semantic ore for the JargonSpy because so much that is said about the cloud makes it all seem so simple. Most of the time, the story goes like this: We have an application like Salesforce.com or Google Apps, or an application programming interface to a service like Amazon.com's EC2 or S3, and we ask it to do stuff for us. Then, out there in the cloud, it all happens. We don't have to worry about what happens in the cloud, and we do not really care where it is, who else has their stuff there or how it all works.

The days of not caring are quickly coming to an end. The cloud as an abstract entity in a place you don't have to worry about will be replaced by clouds that have geographies, special purposes, other companies and rules that guarantee compliance with regulations. This week JargonSpy takes a look at how and why the cloud will transform from the simple to the complex. ...