Security In the Cloud

Yesterday I watched a little bit of the Ustream of "Whose Cloud Is It Anyway" - a round table and meetup in Mountain View. The discussion, while interesting, was a little dry. I actually enjoyed tweets from Christofer Hoff and James Urquhart much more.

Today I ran across a presentation by Dan Kaminsky - a name I hear a lot (mainly on TWiT I believe). His presentation, below - is titled When Irresistible Forces Attack Security In The Cloud. The presentation covers security in cloud computing and has a number of interesting points:

• "Uncomfortable Fact #6: Virtualization Not Actually Required For Cloud Compromise" -- slide 26

• Slide 30 -- three classes of private clouds: Fully private, outsourced private and non-secure (i.e.: Amazon's S3)

The enterprise cloud play is the more interesting one to me. I have gotten over my disgust for the marketing hype frenzy by calling it the "cloud" (it also gives many magazines and blogs an avenue for pretend-creative article titles). I'm still looking for a good definition that is 'not' the same as the Internet, or an overall shift in computing architecture. Anyway....time to move on.

Now.... take the Kaminsky presentation and throw on a slew of acronyms provided by the government. Corporations have a number of laws, policies, audits, acts, trade secrets, terms of service, privacy and other things to worry about. The World Privacy Forum held this last week presents a very interesting report: "Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing". I think the report drives home the point that there are many issues and things in cloud computing are still being hashed out. Some interesting findings include:

• Finding: Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information.

• Finding: A user’s privacy and confidentiality risks vary significantly with the terms of service and privacy policy established by the cloud provider.

• Finding: For some types of information and some categories of cloud computing users, privacy and confidentiality rights, obligations, and status may change when a user discloses information to a cloud provider.

• Finding: Disclosure and remote storage may have adverse consequences for the legal status of or protections for personal or business information.

• Finding: The location of information in the cloud may have significant effects on the privacy and confidentiality protections of information and on the privacy obligations of those who process or store the information.

A Network World article discusses the IDC Cloud Computing Forum. Joseph Tobolski, director for cloud computing at Accenture states "Some people create a list of requirements for security in the cloud that they don't even have for their own data center". Well....maybe they need BETTER requirements for their own data center!! I personally don't think people worry "too much" about security in the cloud ; it is a legitimate concern that any responsible business should question. The good news is that Cloud providers have the chance to do security right, and provide a more secure environment than the small/medium business could have done for itself. The bad news: it's early yet, and that completely secure (if there is such a thing) environment is not built yet.


When Irresistable Forces Attack

Publish at Scribd or explore others: Presentations & Slid cloud computing secu

Virtual Intrusion Prevention Appliance

A short while back I linked to a presentation by Christopher Hoff about virtualization and security.  Those that attended VMWorld a few weeks back reported that security was a big theme at the show.  Well, the trend continues.... with IBM offering a peek at the future of its Proventia Network Virtual Intrusion Prevention System appliance.  It looks like this product (and maybe others) will be out early next year.

Check out the Network World article here  and more from IBM here

Virtual Blog Post

With some big announcements from Cisco and VMWare, it was a big day for virtualization.  Before getting to the press releases, I went back and searched my blog for posts on virtualization -- and I found some interesting things.  In July 2007 I tried to comprehend all of the virtualization technologies available in a summary post.  I left a place holder for virtual networks because I really didn't get that one yet, but there was a foretelling blog post by Peter Christy on 'how' to virtualize a network.

Well -- all of that IOS engineering that Peter talked about appears to have been worked out and Cisco had a couple of big announcements today.  First, they announced the new Nexus 1000V, a virtual software switch ; an industry first 3rd party virtual distributed switch.  The joint Cisco/VMWare announcement was made today at the VMWorld conference.  Check out the Cisco page on the 1000V - they do a nice job of explaining the technology.  DatacenterKnowledge has a nice post on the announcement as well.

The second announcement was about new Data Center 3.0 technologies for Storage Area Networks.  The new technologies are intended to enhance SAN Services in Virtual Machine environments.  Building on the unified data center fabric:

'The new Cisco SAN technology includes three Cisco MDS 9000 Family 8-Gigabit-per-second (8-Gbps) Fibre Channel switching modules and new capabilities in Cisco’s SAN operating system, which has been re-branded NX-OS.   These new SAN capabilities, combined with Cisco’s data center-class MDS and Nexus platforms, will help IT managers evolve towards a single operating system and a unified data center fabric, simplifying data center management and reducing costs."

 The 3 new Cisco modules are a 24 or 48 port 8-Gbps Fibre Channel Switching Module, and a 4/44 Port 8-Gbps Host-Optimized Fibre Channel Switching Module.  CNNMoney has an article on the press release here.

Cisco stock fared pretty well today and I found a financial analysis of Cisco through July 2008 at financial-guages.com.

VMWare announced their Virtual Datacenter Operating System (VDC-OS -- because we need a few more acronyms in the industry).  "The Virtual Datacenter OS allows businesses to efficiently pool all types of hardware resources - servers, storage and network – into an aggregated on-premise cloud – and, when needed, safely federate workloads to external clouds for additional compute capacity.  Datacenters running on the Virtual Datacenter OS are highly elastic, self-managing and self-healing."  Check out the complete press release here.  Another announcement they made was their vCloud Initiative for Enterprise-class Cloud Computing.  It's a pretty cool initiative -- the press release can be found here.  In a VMWorld keynote, President Paul Maritz described internal and external clouds, as well as "giant computers" :)  VMWare stock ended up 2.41% for the day.

The blogosphere was busy with all of this news as well:

Cisco Data Center Blog  (also some cool new information on an acronym sure to compete with World of Warcraft -- Cisco's Windows on WAAS)

FountainHead

The Lone Sysadmin

Michael Keen

GigaOm

The Four Horseman of the Virtualization Security Apocalypse

I definitely need to get to the Black Hat conference next year. It was just a few weeks back in Vegas and it looked to have a ton of good sessions. One of my absolute favorite bloggers, Christofer Hoff, was nice enough to post the slides from his session on "The Four Horseman of the Virtualization Security Apocalypse". Although, as he points out, the slides are meant to go with his speaking, I went through all 176 slides and it was AWESOME!! I highly recommend anyone interested in virtualization, security....or otherwise take a minute to read through his presentation.

Check out his blog and the presentation PDF here.

Asynchronous Data Replication Patent

I had not heard of virtualization and provisioning software company Exludus prior to their March 18th press release, but their software sounds very cool. They announced that they have received a patent for "Asynchronous and Autonomous Data Replication" technology.

Exludus' tag line sums up what they do nicely: "the leading developer of multi-core system capacity management, virtualization and provisioning solutions". Check out the GRID Today article here

Back in February they announced a reseller relationship with one of my favorite companies - SGI. The agreement will embed eXludus Grid Optimizer in the SGI BioCluster solution.

“Through testing conducted on a 64 processor configuration, it was observed that Grid Optimizer™ provided up to 90 percent performance gains on key life sciences applications."

Sweet!!
Check out the February press release here

Novell Acquires PlateSpin

I knew it! Ok, well, I knew part of it. I had always figured that Platespin was ripe for acquisition. Very cool products in a hot market....it was bound to happen sooner or later.

Today Novell announced that is was acquiring Platespin for $205 million in cash. Platespin specializes in software that allows workloads to be spread across physcial and virtual servers. The acquisition strengthens Novell's virtualization stack and gives it an affordable disaster recovery solution.

"Over the next three years, heterogeneous virtualization architectures will be the norm for most IT organizations; as such they must purchase data center management solutions that offer an ongoing opportunity for lowering operational costs as well as integrating and managing VMs across both server and storage infrastructures for greater control and visibility between hardware and the virtual software tiers."

Check out the eWeek article here
and
Novell Chief Marketing Officer John Dragoon's blog post here

MLB and Orbitz Case Studies

Network World is probably in the top 3 for my favorite magazines and web sites to visit. They really do a good job of capturing the news, but also delivering some good interviews that demonstrate real world use of the technologies they cover. Two particular stories caught my attention recently that I enjoyed:

The first was a story of Major League Baseball Advanced Media -- I visit mlb.com and stlcardinals.com frequently. The article interviews Ryan Nelson, director of operations for MLB Advanced Media. MLB uses Joyent services to 'dial-up' and 'dial-down' their use of servers and compute power based on the seasonal load and needs. I had heard of Joyent before, but never really looked into them. It's a pretty cool service, and seeing how MLB.com uses their service helps solidify the concept. Yes, it's another company jumping on the "cloud computing" bandwagon, but they offer some pretty innovative solutions, coupled with some cool Sun hardware and technologies. I had a brief introduction to Sun virtualization technology at the Blackbox event earlier this year, but if you haven't checked Solaris Zones it is worth a look. MLB has data centers in New York and Chicago, and thanks to the infrastructure they have setup they can move utilization between centers (for upgrades and such) on the fly. It sounds like Ryan Nelson has a pretty cool job playing around with this infrastructure and new technology. Check out this interview/article here

The second article (thanks for the link Ben) from Network World is about travel web site Orbitz. Like everyone else in the industry, Orbitz is trying to go green -- or as CIO Bahman Koohestani put it, "taking his IT operations carbon neutral". One thing that I liked about Orbitz (in this article) is that they know how much energy they use, monitor their use on a daily basis, and they know how much cooling they use for various parts of their operations. Going green is great, but keeping very close tabs on energy use and mining the data is even better (in my opinion). Orbitz has two large data centers in the Chicago area and Koohestani touts it as an excellent place to locate data centers. Chicago is RED hot now days for data centers. Like other stories we have seen about company strategies -- Orbitz is slashing the number of servers used, and consolidating data center operations world wide. The article has all of the details about how they are greening its IT operations.

Paradigm Shift

Without sounding too much like an analyst and over-generalizing the tech industry as a whole, I really believe we are in the middle of a paradigm shift for technology. I’m old enough to remember mainframes, but never operated or administered them (unless doing COBOL programming in college counts). So there was the mainframe era, the client/server era and whatever-we’re-in-now era. I’ve loved the concept of utility computing ever since the hype (and over-hyping) began. I think it has a ton of potential and some really important concepts and intelligent people behind it. As many others have pointed out, the internet companies have contributed a significant amount to changing architectures used in IT. Perhaps they can be credited for driving much of the needed change that allowed for such enormous scalability (there, the words paradigm shift AND scalability should sit well for the search engine spiders :) A comment from a Gartner session yesterday summed it up nicely…. “cloud computing has ‘some’ degree of truth to it, but also a lot of fog”.

I’ll keep this post as short as possible so I don’t blab on too long and lose readers (assuming you have made it this long). I wanted to link to some utility computing and virtualization articles I liked and then make a few links out to some thoughts on data center containers/black box (DataCenter in a box part IIIa).

Bert Armijo and Peter Nickolov from 3Tera wrote an article recently on Fishtrain about services that virtualization needs adapt to the utility computing model. It is a very good article about future concepts and why virtualization is “not a complete utility computing solution”

The additional service that I would add is security. I’ve been a big fan of Christopher Hoff’s blog that frequently discusses virtualization security and potential vulnerability attack angles. And speaking of innovative technologies and industry shifts, check an excellent post on Security and Disruptive Innovation part III. Security needs to be improved in virtualization, but even more so as it spans across a utility computing implementation.

Network World also ran an interesting article on virtualization security and the realization that many are coming to for their implementations and how some have not even started their implementation because of security issues.

Because I am in the data center business I always digress to the physical part of the infrastructure when the ‘virtual’ data center is mentioned. To me there is no such thing as a virtual data center because it is the one true ‘real’, tangible asset in the infrastructure equation. So when I read about Amazon EC2 and 3Tera, I love the utility computing concepts and having infrastructure virtualized across physical data centers. Of course, with my recent white paper on site selection I also automatically assume geographically disperse data center locations to account for BCP plans and risk avoidance.

A final paradigm shift item I’ll mention is workload lifecycle and management. I don’t know if I completely understand it yet, but I have spent a fair amount of time on the Platespin web site and feel they have a very complete set of products. As it relates to a new and better way to deploy, manage and control your infrastructure I would recommend anyone gives their products a consideration. There is also a decent joint presentation from Dell, Microsoft and Platespin on their respective technologies here

Ok, so there is the paradigm shift in infrastructure architecture and deployment options. Let’s go up a level and look at the data center as a whole. If you’ve read my blog for any amount of time you know I am intrigued, interested, and perplexed by the container model that Rackable, Sun, APC and others have come out with and Google patented, but was dropped as a research project.

There are some interesting comments on the Slashdot post about Intel Data Centers. Some of the interesting points I noticed from these comments are:

1. Chuck Thacker from Microsoft has a very interesting PowerPoint presentation on data centers as a container model. It is a 26 slide presentation full of their research and insight to the topic.

2. There are references to the recent news about Sun’s BlackBox being used underground in Japan and using Geo-exchange for cooling and heat exchange.

3. A user comment: “The reason a "data center in a box" sounds so attractive is that the amortization schedules are different for IT equipment and buildings. If building infrastructure can last its advertised 25-30 year life then a tilt-up or factory assembled type of building structure is more cost-effective than containerized data centers architecturally.”

The thing I have always been thinking about, and that was brought up many times in the Slashdot comments, was just what in the world was the practical application of the data center container? With Google, Sun, Microsoft and others seriously looking at it and doing such deep research on the possibilities, you simply have to think that there is something that they have found that makes business sense and that they have justified.

More later --- back to the Gartner conference for now…..

Symantec State of the Data Center Report 2007

Last Tuesday Symantec (SYMC) announced the release of their 2007 State of the Data Center Report. The international study surveyed managers of Global 2000 and other large companies. The magazines, web sites and company white papers are constantly full of industry statistics and trend monitoring, but I think this report did a nice job of doing the legwork necessary to get real data from those facing the issues in the data center today and presenting it in a clear and concise manner. I think one sentence in the paper summarizes the main point nicely:

Essentially, data center managers are being asked to deliver more high-quality services in an increasingly complicated environment, yet their budgets are relatively flat. As a result, data center managers find they adopt cost containment strategies that make use of new technologies, including virtualization, and new management approaches, such as those that automate routine processes.

Here are some of the highlights that I gleamed from reading the report:

• Of the five issues (of factors impacting today's Data Centers) I think #2 and #5 are the big ones (in my mind). #2 is staffing and #5 is Disaster Recovery/Business Continuity Planning. Staffing has been noted several times in the press and is obviously becoming a large issue that managers must deal with.
  

• Better preparedness for a disaster now versus two years ago was listed by 53% of the repsondents. When thinking of locations for your DR and BCP plans, don't forget my Site Selection white paper.
  

• Not surprising, the always fun statistic proved true once again for a cause of downtime. Twenty-eight percent of respondents listed "change or human error"as a chief reason for downtime. Although some stories have down played ITIL, I think for this reason alone you will see an increased usage of the ITIL guidelines in data centers. This obviously plays into the staffing issues raised as well.
  

• The report has good information on virtualization plans. I think it will be interesting to see how Microsoft fits into this market in the near future. I don't believe they will pose a serious threat to VMWare, but will most likely balance out the market a little more and have a decent percentage. VMWare was the top product listed in the U.S. but almost half of Asia-Pacific respondents are using Microsoft virtualization, with only 35% going to VMWare. I haven't finished watching it yet, but here is a video of Eric Traut from Microsoft, presenting on Microsoft's virtualization technologies (it also mentions Windows 7).
  

• The outsourcing statistics were interesting. Fourty-two percent of U.S. managers said they utilize outsourcing, while 61% of non-U.S. organizations are. "Among the most common tasks outsourced by both U.S. and non-U.S. organizations are server maintenance, backups, storage management, archiving, and business continuity."
  

This is, overall, a very good report and worth the read. Check out the press release here

Netapp DoD Data Migration

Enterprise Storage Forum has a pretty interesting story on the Defense Contract Management Agency (DCMA) going from 18 data centers to 2. They virtualized the middleware and consolidated data with Network Appliance's Virtual File Manager (VFM).

In addition to consolidating the servers, DCMA also needed to set up a common file system that would work across the enterprise. For this it created a File Area Network (FAN) using software and storage appliances from Network Appliance. DCMA has more than 300TB of storage.

I think we will continue to see stories like this as large projects are under way to consolidate, virtualize and setup common file systems and platforms across the enterprise.

Check out the article here

DataSynapse

On the 'Grid'ComputingPlanet.com website there is an article on Data Synapse and the growing trend of jumping on the virtualization band-wagon. They now consider themselves the fastest growing application virtualization vendor.

I personally like the term grid (for them) better, but I can see a fit with virtualization as well.

"We're actually a lot like VMware in the problem we're solving," said Bernardin. But instead of creating virtual machines, DataSynapse creates "application instances" to maximize application performance, decoupling applications from underlying resources to improve scalability and resilience and set priorities.

"That requires an underlying platform, such as a grid," said Bernardin, who calls grid technology a "precursor" to such advanced functionality.

They expect 50% sales growth this year and a potential IPO next year! I ran across them last year and really like their product offerings. I spoke with a partner rep at the company because I have an idea for a product offering of my own that would incorporate their product. Their GridServer and FabricServer products are extremely cool and worth a look.

I would 'almost' venture to say that they are a good target for merger/acquisition. Perhaps the IPO is a backup plan. Adding/acquiring something like 3Tera's Applogic might be a nice complement....?

Check out the article here

Virtualization: I'm OK, You're OK

With all of the hype around virtualization, I couldn't resist another post. A few items I've found while surfing lately have really peaked my interest.

The first one is well over my head, but extremely cool. It's a year old, but I imagine some of the concepts still apply (or have been revised/improved/tweaked). It's called Hardware Virtualization Rootkits, from Dino A. Dai Zovi and can found here. If you are in to security at all, this guy does some insane research.

The second one I ran across was from a favorite blogger of mine - Christofer Hoff. It's a presentation on Virtualization and Network Security. It's an excellent mix of Virtualization concepts, vulnerabilities and solutions from his former company, Crossbeam. Check out the blog post here and presentation here.

The final is a presentation entitled The Virtualized Rootkit is Dead from Matasano, Symantec and RootLabs. It discusses HVM malware, virtualized malware detection and the Samsara framework. (Dino Dai Zovi is on the Matasono team)

Virtualization Follow-up

Just a couple of things I wanted to write about as a follow-up on my post a while ago on Virtualization (man, this is one, hot topic)

• Unless you have been under a rock, you have heard about "Data Center 3.0" from Cisco. BTW: I thought Tim O'Reilly was the only one that could coin a term like that. :) Anyway, this is one seriously cool product that I plan on reading up on soon. To top things off, they then turn around and invest $150 million in VMWare!

• One seriously cool company I forgot to mention in my Virtualization post was Platespin. It's best just to check out their site and product offering, but they summarize their offering as "Anywhere to anywhere workload portability and protection". Since I made a wild guess about Opsware being bought, I would like to say that Platespin sure seems ripe for the picking ....... by......umm....BMC (yeah, that's it)

• Microsoft Cloud OS: This isn't really virtualization - but I'm going to throw it in because it is kind of cool. Cnet has a good article on the next Microsoft developer platform where they plan to open it all up to the public. "Microsoft plans to open up much of the technology that powers Windows Live as well as the underlying infrastructure." Check out the Cnet article here.

• OK -- I saved the best for last. I'll start with a quote that I really like: "future of IT is being defined on the Internet". Granted, it is a little basic for a cool quote, but read this Web Hosting Talk article and you'll see why it is inspiring. The quote is from Barry Lynn of 3Tera. 3Tera and Layered Technologies teamed to build a virtual private data center (grid), composed of 443 CPUs, 920GB RAM, and 47 terabytes of storage. They allow you to easily scale your product/site/application because they have infrastructure over many data centers and 'they' worry about the infrastructure, not you. It is a step closer to a true utility computing model and think what you want...."I" think it is the way of the future.