De-nebulating "Cloud Computing"

While catching up on my reading (which is pretty daunting when Google Reader tells me that my "high priority" collection of virtualization and utility computing feeds is over 1000 new posts), I came across Alistair Croll's nine sector view of cloud computing.

Taking a look at that post, prompted me to revisit John Willis' post from February and the wealth of high quality comments he elicited. John's post, and now Alistair's, represent great "locations" in the blogosphere at which knowledgeable advocates and the loyal opposition convene to bring clarity to the conversation. What I also enjoy is that I've had and continue to have the privilege of knowing personally and working with so many of the participants.

I'm struck, as well, by what seems to be a gap ... or maybe several ... in their lists. And, being an amateur taxonomist and incorrigible entrepreneur, I view a gap as a puzzle to be solved and a potential market to be served. I'll take the time over the next few days to reflect on the gaps, and then pose a couple of questions and see if I can add to the fun. I'll be gratified if the result adds to the conversation established by John and Alistair, as well as those raised by James Urquhart, Greg Ness, Bert Armijo, Dave Durkee, and Rich Wellner (among others). (I'm most appreciative of Bert's most recent posts as well as the fun poked at the Cloud Computing Expo's Twenty Experts Define Cloud Computing piece.)


Inside the Cloud: 9 Sectors to Watch - GigaOM

There’s already a ton of activity taking place in the cloud computing space, so much so that it can be hard to know who to watch. In many cases, it’s too early to pick winners. But there are distinct sectors of the IT industry that are particularly well suited to the on-demand, pay-as-you-go economics of cloud computing. Here are eight segments — and one company that’s a segment all its own — that we’re tracking closely.

Why Cloudware and why now?

In September of last year, as I was preparing (mentally and emotionally) to get Replicate started on its current path, I considered issues of portability and interoperability in the virtualized datacenter. I posted a few comments about OVF but one in particular drew the attention of Bert Armijo of 3tera.

At that time, Bert indicated that he thought it "... too early for a standard,...", with a (perfectly arguable) claim that standards are often "... a trade-off to gain interoperability in exchange for stifling innovation." He went on to say that "(w)e haven't adequately explored the possibilities in utility computing." He then provided a critique of OVF. (Whether I agree with that critique or not is immaterial to this post, and the subject for another time.)

At the end of June, 3tera announced their Cloudware vision for a standards-based interoperable utility infrastructure. Since the arrival of Cloudware, there have been a number of venues at which "cloud computing" and interoperability has been on the minds of the cognoscenti... Structure08 and Velocity being the most heavily covered. In the past few weeks, there have also been claims, and counter-claims of support... and to be fair, the disputed claims of support were made by others, not by 3tera.

So... what's changed, Bert? Why is "now the time" to create the standard for interoperable cloud computing? What's happened in 9 - 10 months that has so changed the field, that these efforts don't also stifle innovation?

Simon Wardley has also reiterated his position most recently at OpenTech regarding substitutability between utility providers (which includes portability and interoperability) ... an outcome which he maintains will require not just open standards but open source standards. When compared to the Cloudware initiative, I can more easily support this "pure form" of standard creation. The commercial success of pure, open source standard approach for utility computing, however, requires a reasonably well-established reference implementation or some acknowledged leader as the de facto standard. (Again, the topic for yet another post.)

That said, Simon and I could not be more in agreement when he states that "... standards will emerge through competition and adoption rather than committee." I'd probably add to that statement that such standards don't (often) emerge as a result of the smaller, fragmented commercial interests banding together to form a "composite" competitor to a market leader.

I have to agree with John Willis when he states that "...what we today call the 'cloud' will really just evolve into a complex IT infrastructure ... which will link services from a myriad of inter connected inter-operable applications spanning internal legacy applications, internal/external virtual resources, private clouds and public clouds." (Full quote provided below.)

Head In The Clouds | 3Tera

Well I’m happy to say that I think the time has come when we have enough companies in the space working on creative products and services that a standard can progress productively. We’ve begun to share our vision for what that standard can achieve, it’s called Cloudware, and covers not only AppLogic but a whole new way to approach infrastructure.

john m willis ESM Enterprise System Management Blog

It is my belief that what we today call the “cloud” will really just evolve into a complex IT infrastructure of the future, and in the end, will just be referred to as infrastructure. There is no doubt the traditional IT landscape of the last 20 years is going through a substantial transformation on the same scale as what happened in the mid 1980’s as mainframe resources shifted to distributed computing and client server architectures.

This new complex IT infrastructure of the future will link services from a myriad of inter connected inter-operable applications spanning internal legacy applications, internal/external virtual resources, private clouds, and public clouds. For example, I can envision a scenario where a business service runs internal behind-the-firewall VMware instances for parts of an application and possibly inter-operates with resources on Amazon’s EC2, Flexiscale, Google’s App Engine, or a player to be named later. These same business services might also use resources from private internal clouds running 3Tera’s Applogic, IBM’s Blue Cloud, or Cassatt’s Active Power Management. Like it or not, Microsoft will have resources involved in this new IT management infrastructure of the future. Any interoperability discussion will need to include them as well. ...

Jurisdiction - where in the world is that VM?

James Urquhart has an interesting post on a topic that's fascinated me for a long time -- namely, under what legal jurisdiction does a computed "transaction" take place?

The problem first came to my attention (sometime during the last ice age) with the advent of ATM machines with services offered by national banking and credit card concerns. If I withdrew money or paid a credit card bill at the ATM, exactly where (for the purposes of the relevant legal jurisdiction) did the transaction take place? Banking laws being what they are, the industry got around a host of problems by declaring an ATM machine to be a "branch bank", in order to make sure that the geographic location at which the financial transaction took place made it clear for purposes of law.

The days of dumb terminals and thin client computing brought with it a boatload of jurisdictional issues. And now, cloud computing and virtual server migration add to the puzzle. It's a great problem on which to reflect. James' discussion is well grounded and presents the salient issues in a very nice way.

The Wisdom of Clouds: "Follow the law" computing

A few days ago, Nick Carr worked his usual magic in analyzing Bill Thompson's keen observation that every element of "the cloud" eventually boils down to a physical element in a physical location with real geopolitical and legal influences. This problem was first brought to my attention in a blog post by Leslie Poston noting that the Canadian government has refused to allow public IT projects to use US-based hosting environments for fear of security breaches authorized via the Patriot Act.

Critically Under-damped Oscillations

Chris Hoff has a great, common-sense post on security and where in the data center it will eventually end up residing.  (If you don't want me to give away the plot, go directly to the post.  Don't read the snippet I've enclosed.)

Along with the "dampened oscillation" graphic that he alludes to (but doesn't actually draw), I'd like to add my two-cents about where security resides when dealing with server virtualization, and the network.  Server virtualization, and particularly hot migration (likeVMware's VMotion), has definitely changed the relative workload and tsuris (a technical term of art) experienced within the data center by the persons responsible for, respectively, server administration, storage administration, and network administration. 

In the days before widespread adoption of server virtualization, making a new application "production ready" was a PITA (another term of art) for the server admin, who had to specify servers, install the apps, move the appropriate data for use by the apps, test, stage, re-test, etc. 

The storage admin had a modest workload, requiring attention to allocation of storage space, setting quotas, setting policies, ... but once done at the planning stage, required modest tweaking thereafter. 

The network admin had it easiest (IMHO).  Over the course of the weeks (if not months) it took to arrange for a new application to be put into production, the network admin might have to allocate ports, set VLANs, set policies, and be present when doing the lash up with the network equipment.

Fast forward to the day when a new application goes through development, test, staging and cut-over into production ... ALL using server virtualization.  Besides the fact that the time horizon for the production deployment has likely been compressed from weeks to days, the relative workloads as this cut-over approaches is radically different from the one described above. 

• The server admin has a relative cakewalk: extend VME cluster, copy the image, or use a hot migration to herd the app into the new spot. 
• The storage admin has pretty much the same level of work in allocating space, setting quotas, etc.,  and will soon be using SAN "hot migration" (e.g. VMware's Storage VMotion).
  
• The network admin, however, just got a rude awakening.  If he's got SLAs to which his organization must commit, the network admin must allocate ports, set VLANs and VLAN policies, set up NIC teaming in both the virtual switches and physical server access switch, and set up trunking on the vSwitch and pSwitch.   Oh, and by the way... it has to be "right" for every physical server in the data center to which a virtualized application MIGHT migrate in the future.
  

Holy smoke, Chris!  It's not a single, oscillating signal.  It's (at least) three of 'em.  (... and if I were a better graphics hack, I'd drop in a jpg right about now.)

Rational Survivability: Security Will Not End Up In the Network...

... Here's the reality we actually already know and should not come to you as a surprise if you've been reading my blog: we will always need a blended investment in technology, people and process in order to manage our risk effectively.  From a technology perspective, some of this will take the form of controls embedded in the information itself, some will come from the OS and applications and some will come from the network.

Anyone who tells you differently has something to sell you or simply needs a towel for the back of his or her ears...

Is Co-Administration the Answer?

Rick Vanover, blogging at TechRepublic's Network Administrator site, suggests a solution to the problem of overlapping between the span of administrative control normally provided to the network admin, and that required of a VM server admin.  It's a solution that might appeal to a network administrator, but I'm dubious.  I'd very much like to hear from the network crowd as to how this might work in practice.

Here's my take.  In our investigations at Replicate, we've noted that VM admins are often unwilling to dig into the network management systems. (There are a number of reasons, which we won't go into here.)  So, how would a network admin view this solution?  These seem to be the implications of Vanover's approach:

• the network admin must be cross-trained in the use of the VME's management system (e.g. VMware's Virtual Center or Citrix' XenCenter)
• the network admin is required, at installation setup, to establish consistent configurations on the virtual switches and (in separate management system) the physical switches.
• The configuration settings on the vSwitches are supposed to remain inviolate and untouched by the VM admin in order to prevent configuration problems.
• the network admin thereafter is relegated to a passive, read-only audience for the VM management system reports, unless ...
• when there is a physical network issue (a problem or need to reconfigure), the network admin is reinstated with the necessary privileges to make those changes.

This sounds workable, at most, for a short period of time, an installation that changes almost never, or a very small installation.

Co-Administration is the new virtualization endpoint | Network Administrator | TechRepublic.com

Almost every organization has embraced some amount of virtualization, and the network has surely been a hot topic as a virtual environment scales upward. Most virtual host systems (VMware ESX, Citrix XenServer, etc.) offer host-based switches that implement 802.1Q tagging on the ports to the virtual machines. This poses a unique question: Who administers the virtual switch when the network and server administration are handled by different groups?

...
One creative way to solve this dilemma is with a co-administration approach. This would give the network engineers access to the virtual environment for configuration during a change and read-only access for ongoing checks of configuration and for assurance that a virtual machine is not breaking any network rules, such as having a virtual network adapter on two interfaces where one is a secured or external network. In most situations, the network administrator has no visibility into the configuration of the network within virtualization installations, and the co-administered approach can change that.   ...

VMware Server Virtualization, Compliance & Data Security

This is Catbird's announcement of the new assessment "service." It seems couched primarily in the context of "making you safe" when doing P2V.

While a number of the "virtsec" vendors address compliance, I've noticed a particular increase in the use of this theme with new product announcements over the past weeks. The compliance boogeyman is being hauled out by a number of vendors to make sure potential customers remember that they may need special assessments with respect to HIPAA, PCI DSS, et. al. when using VMware server virtualization.

This theme was apparent in EMC's announcement of the new Application Discovery Manager 6.0 offering, which works in concert with other EMC SMARTS offers ... particularly their newly announced IT Compliance Analyzer -- Application Edition.


Catbird Offers Industry's First-Ever Comprehensive Virtual Security Assessment

SCOTTS VALLEY, Calif.--(BUSINESS WIRE)--Catbird, the pioneer in comprehensive security for virtual and physical networks and developer of the V-Agent™ virtual appliance, announced today the industry’s first and only state-of-the-art Virtual Infrastructure Security Assessment (VSA). Catbird’s VSA helps IT administrators identify and close the potential gaps in security and compliance created in the move from “P to V”. The 30-day assessment includes a thorough security analysis, detailed reports with actionable intelligence and a comprehensive plan to mitigate risk and protect critical virtual systems, networks, desktops and processes.

Catbird’s VSA combines traditional security assessment methodologies with unique virtual infrastructure telemetry gathered through Catbird’s stateless, non-invasive V-Agents to deliver robust scrutiny previously unachievable with existing mechanisms. The VSA identifies the scope and magnitude of the virtualization compliance gap through qualitative and quantitative analysis of the new architecture’s impact on change control, separation of duties, network visibility and segmentation, and secondary validation.

MSFT to Craft it's own VMsafe?

Virtualization.info has a short but interesting post, which refers to a parenthetical comment from Chris Hoff which might imply that MSFT is considering / working on a VMsafe-like framework.

Is Microsoft working on a VMsafe-like framework? | virtualization.info

...
So far Microsoft didn't took an official position about the topic but virtualization.info had the opportunity to speak with several representatives who clearly stated how carefully the company is evaluating the security implications of a VMsafe-like approach.

Nonetheless Microsoft may be working to build the internal know-how needed to achieve the task.

Just two months ago in fact Microsoft acquired a small security firm focused on rootkit detection called Komoku.

As Christopher Hoff, Chief Security Architect at Unisys, recently discovered, Komoku did some research in the past, presenting a solution for Xen where virtual machines can do self-diagnosis and self-healing as well as learning to protect against subsequent attacks. ...

Hyper-V Needs a Pit Crew

One aspect of the staggered release of Hyper-V and VMM 2008 is the focus on how to manage virtualization ... any virtualization environment, but specifically Microsoft's. What this article also points out is that VMM 2008 starts out by demonstrating its capabilities to manage multi-vendor environments.

The article ends with Mitchell Ashley expressing doubt about the relative price to the customer for using VMM 2008 versus VMware's VirtualCenter. In my view, he doesn't come right out and say that the comparison is bogus, but he should. If a datacenter's use of VMware depends on ESX functionality like VMotion, DRS (an automated VMotion) or HA (high availability), the customer has to buy VirtualCenter. That makes the price of VMM 2008 an additional cost to the datacenter ... not the cost of substituting it for VirtualCenter.


Hyper-V May Cause Hyper Tension | NetworkWorld.com Community

Microsoft needs a successful Hyper-V launch out in the marketplace to begin to stave off VMware's dominance. But Hyper-V can't do it alone, that's only part of the picture. Just having Hyper-V is like having a NASCAR race car but no pit crew. Hyper-V's got to have the management tools to be successfully utilized by IT. Most agree; the hypervisor will be a commodity, it's the management capabilities enabling customers to manage virtualized environments that will win the day. ...

What's needed most to deploy software on Hyper-V at any scale is Microsoft's Virtual Machine Manager 2008 (VMM). VMM just went into beta and is expected to ship 30 to 60 days after Hyper-V's release, making the product launch likely sometime in early fall.

VMM's making some interesting claims about managing virtualization. Not only is VMM 2008 managing Hyper-V, Virtual Server, but also VMware's ESX product. Microsoft isn't claiming VMM is a full replacement for VMware's Virtual Center product, but is claiming a significant portion of what Virtual Center does can be done within VMM. ... The VMM team's blog post is claiming Microsoft does all this at one third the cost of VMware, but that's an incremental cost if you are already a VMware Virtual Center customer. And we'll have to see if Hyper-V and VMM are competitive against VMware in new accounts where VMware doesn't already have a presence.

SPLA Application Streaming likely to make a SPLAsh

An interesting turn of events that I've missed while being "heads down" in the establishment of Replicate Technologies is the impending Microsoft Service Provider License Agreement (SPLA). This is a major breakthrough for desktop virtualization and promises to open up some very interesting business opportunities.

Microsoft Opens the Floodgates for Streaming Applications : VMblog.com

Endeavors Technologies, the pioneer in application streaming and virtualization technology, and its parent company, Tadpole Technology plc, today announced support for the Microsoft program amending the Service Provider License Agreement (SPLA). The new program allows service providers to stream Microsoft Office for delivery through a Software-as-a-Service (SaaS) model.

"We've anticipated this change and are pleased that Microsoft now has a date for allowing service providers to stream Microsoft Office," said Peter Bondar, CEO at Endeavors. "We have completed proof of concept programs with a number of providers and have been waiting for the amended SPLA program to roll out new services. Through our partnerships with Partner Advantage and others, we are poised to take advantage of the new business opportunities on day one. We applaud Microsoft in taking this bold step." ...

HP's Data Center Transformation ... don't forget the network.

Reading through some of the articles commenting about HP's announcement of the their Data Center Transformation initiative, I came across this rather odd bit from Arthur Cole at IT Business Edge. He mentions that he's had the opportunity to speak with John Bennett, WW Director of Data Center Transformation Solutions at HP. After setting the stage for the conversation, he makes the point that, too often, data center refurbishments are done to meet short-term goals, and distinguishes HP's approach as being a good deal more strategic.

“Rather than think of it as one massive project, we’ll develop a strategic view first, and then use individual projects over time to build out the next-generation data center,” Bennett said. “You’ll achieve your tactical objectives on particular projects, but you’ll also lay out the foundation for years of compounded returns.”

Sounds right, and then Cole points out what, to him, seems problematic.

... About the only flaw in the plan that I can see is a lack of network support. With server, storage and virtualization as part of the mix, I was a bit surprised when Bennett said he hasn’t had many dealings with HP’s networking unit. It seems unlikely that a series of ProCurve switches couldn’t be brought in should the need arise, although that need could be substantial given the level of virtualization and consolidation that uses are likely to require. It might make sense to make networking a more integral part of the strategy.

(.... pregnant pause..... raised eyebrow.)