Recent Posts
True Isolation Makes the Public Cloud Work Like a Private Cloud
Digg
Reddit
Delicious
StumbleUpon
Facebook
Twitter
LinkedIn
BuzzBy Ellen Rubin
Security is always mentioned as a key factor limiting cloud adoption, but what does “security” really mean in the cloud? To understand the potential risks of cloud computing—and how to address them—we need to be more specific. Once we’ve accurately defined the problems, we can address them with the right technology and processes.
When you get into specifics with CSOs and risk managers, security concerns in the cloud can essentially be boiled down to two main issues:
- It’s a shared environment: In a multi-tenant public cloud, you’re sharing resources—servers, cloud networks, and storage—with other companies (possibly even a competitor). Obviously you don’t want them to get access to your data and applications. In this shared environment, data needs to be encrypted, which means you have to develop and deploy an encryption solution that can span the data center and cloud services, and run across a range of operating systems and applications — something that many IT managers and CSOs find outside their comfort zone.
- It’s outside enterprise control: You have to depend on the cloud provider’s security measures, policies, and assurances that your data will not fall into the wrong hands. This can be a non-starter especially given that some aspects of cloud environments are opaque. Loss of control also has another aspect: the cloud provider can make changes to their environment (kernels, storage, software, etc.) that could disrupt the trusted security processes and models that you already have in place.
These are the potential risks that enterprises are anxious to avoid. Therefore they make compromises that allow them to gain at least some cloud capabilities, while maintaining an acceptable level of security. They may choose to partner with a managed service provider to build and manage a dedicated environment for their applications. Or they may pull back completely and build an internal cloud, with applications sharing a pool of resources inside the corporate firewall. But these private cloud models only hint at the agility, efficiency, and on-demand performance available within a public cloud.
Isolation in the Cloud
So how can you incorporate a multi-tenant public cloud in your IT computing strategy without taking a big risk? For an application to run safely in a public cloud, it needs to be isolated from the environment around it at all times. This isolation is not just a matter of keeping things in (protecting data and applications from threats or prying eyes), but also keeping things out (unwanted changes by the cloud provider that could compromise your existing security processes). With our Cloud Isolation Technology, CloudSwitch provides the two-way protection that makes the cloud safe for enterprise use.
How does this isolation layer work? CloudSwitch software automatically builds a secure envelope that extends from the data center to a target cloud that encompasses your entire cloud deployment. Within this envelope, applications and data are encrypted end to end, from inside the corporate firewall, across the Internet, and within the cloud environment—in storage (at rest), during processing, and in transit through the cloud network. Encryption keys are stored within the enterprise data center and are securely transmitted to the cloud only when they are needed and are completely contained within the isolation layer. Control of encryption keys, and thus, control of the data, stays with the customer at all times. Cloud providers have no access to enterprise data at any point—and neither does anyone else.
Inside the secure envelope, the isolation layer maps cloud resources (processors, memory, storage, etc.) to match the execution requirements of the original server. Using this approach, servers and applications run in a cloud “as is” without requiring modification or redesign, and without having to worry about the cloud provider’s configuration or changes to their environment. Further, since all data entering the cloud provider’s environment is encrypted with customer-controlled keys, the data is isolated from processes and changes implemented by the cloud provider. The cloud becomes an integral part of the enterprise IT environment, while the cloud provider sees only an encrypted connection running into one of its servers, and encrypted data flowing to the storage devices.
Agility + Security: Taking Control in the Cloud
Using CloudSwitch technology, the same level of privacy and control that you would expect in a dedicated environment now becomes available in a multi-tenant public cloud. Companies can take full advantage of cloud elasticity and cost savings without being exposed to the inherent risks. True isolation lets you have your cake and eat it too—reaping the benefits of cloud computing (agility and reduced cost) while maintaining enterprise security and control.
At Cloud Connect, the Hybrid Debate Rages On
By Ellen Rubin
While some basic consensus has been reached about the definition of cloud computing (although perhaps it’s mainly exhaustion on the part of the definers), a new debate appears to be raging based on many discussions this week at the Cloud Connect event in Santa Clara. Hybrid clouds were the talk of the show, and the boundaries between private and public clouds are rapidly emerging as battlegrounds for vendors and pundits.
At CloudSwitch, we’ve been evangelists of the hybrid cloud since our founding days, and we’ve spent some time discussing internal/external and public/private trade-offs. The fact is that for most enterprises, a hybrid (or ‘federated’ in my preferred word choice) environment is the most likely computing strategy. This is because different applications require different technical capabilities and are governed by different business requirements. Some will stay behind the firewall (at least in part, if not in their entirety), while others can take advantage of external cloud offerings, be they public or private.
Most sessions at the Cloud Connect event included the hybrid issue, with much debate about the terms used. As with cloud computing, it’s time to put aside discussions about definitions and get down to the pragmatic decisions that have to be made. The key is to stay focused on the applications: which apps are your core competencies, require specialized hardware, or contain compliance/highly sensitive data? Which ones are ‘spikey’ in nature, allowing them to benefit most from cloud economics? Which ones are bandwidth-intensive and tightly coupled to other apps? Which ones have specific SLA requirements to meet customer demands?
These are the right questions to be thinking about – to match the right apps to the right computing environment. In the end, enterprise users don’t care as much about what the cloud offering is called, as they do about provisioning their specific app quickly, protecting it from security threats, and scaling and managing it as required by the business. The ability to move apps seamlessly and securely between multiple environments is a critical part of making this work, and is the linchpin of cloud federation. If you don’t need to worry about the boundaries between cloud offerings, you can embrace them all in the combinations and permutations that meet your needs.
James Cameron, Entrepreneur
By John McEleney
I recently saw Avatar (in 3D) and was blown away. Admittedly the story was pretty predictable; however the graphics, the music, and the overall experience were incredibly positive. In many ways, I think this movie will become this generation’s Star Wars, with a spellbinding new world that viewers will want to revisit again and again.
Even more amazing than the movie have been the financial results, which have been spectacular. It took Titanic several months to reach the blockbuster ticket receipts of $1 billion. Avatar matched this in only 17 days! The film broke several box office records during its release and has become the highest-grossing film of all time in North America and worldwide. It is also the first film to gross more than $2 billion.
Before its release, many film critics predicted Avatar would be a flop. In the face of huge financial risks and doubts from industry insiders, director James Cameron had the vision, the confidence and the passion to see his project through. In creating Avatar, he invented an entire new world, Pandora, filled with fantastic plants and creatures, and human-like beings with a rich culture and heritage. To bring it to the cinema screen, he developed breakthrough technology to create a unique viewing experience and ultimately a huge mega-hit. His vision and inspiration will completely change the way movies will be made and watched going forward.
I say forget the pundits and the Academy Awards. Avatar may not have won top billing at the Oscars, but it won where it really counts: at the box office. I salute James Cameron as an entrepreneur. He took substantial risks, pursued his vision, and developed the innovations necessary to bring it to life. Now he’s reaping the rewards he richly deserves. I can’t wait to see it again.
Dealing with the Cloud's Latent Tendencies
By John Considine
One of the frequent questions we get when we engage with customers moving applications to the cloud is: what about the latency issues when using a cloud? This question arises because most IT departments have had to struggle with application performance issues and the idea of adding a big chunk of latency when integrating the cloud is very troubling. Here is how we address this:
1. Move the whole application to the cloud. We have been working hard to allow you to move all of the components of your application to the cloud. With this capability, you are not adding the latency between your data center and the cloud to the interactions between the servers in the cloud. A simple example is moving both the presentation tiers and database tiers to the cloud. The front-end servers talk directly to the database in the cloud, and they experience “data center” level latencies (i.e., nearly the same as in your DC). This often leads to a related question: if I move the whole application, where is the hybridization and integration? Simple, there are a collection of other services and data that your applications depend on – things like name servers, identity servers, domain controllers, ancillary databases, etc. Often access to these services is not latency-sensitive because it’s not part of a high transaction rate process.
2. Use a cloud that is “nearby.” Latency is a function of distances and “hops” across routers. The closer you are to a cloud, the lower the latency. This is one of the reasons we have architected for multi-cloud support, and are so focused on zero modification of your servers and applications. If you have the freedom to use a cloud that is “closer” without having to change your configurations, then you can take advantage of resources that make sense to you. We’re excited to see more players creating and expanding cloud offerings; more clouds in more locations means that we can help customers integrate cloud with their data center infrastructures, taking advantage of lower latency, higher SLA’s, and better pricing. With Amazon opening more regions, Savvis and Terremark supporting more than a dozen data centers each, specialized players like BlueLock focusing on security and compliance, and folks like Microsoft and AT&T getting into the mix, we expect that there will be “nearby” resources available for most companies in the near future.
3. Take advantage of WAN optimization. You cannot defy the laws of physics, the speed of light is a real limit, and thus the distance to the cloud you are using will determine the minimum amount of latency. Given this, however, there are things that can be done to minimize the impact of latency and bandwidth restrictions. There are a number of products out there that help with Wide Area Networking optimization and CloudSwitch can take advantage of these in two ways. The first is that we work with your existing network infrastructures so that if you have optimized links available between your data center and a cloud provider, we can take advantage of them. The second is something we are working on – integration with these products such that they can be deployed with or alongside of CloudSwitch to optimize cloud communications.
The bottom line is that latency issues are part of your decision process when you determine which applications (or parts of applications) will get moved to which cloud, and you should test the results early in your cloud evaluations. With CloudSwitch you have some good options for dealing with the inherent latency issues in cloud deployments so you can successfully integrate the cloud into your IT infrastructure.
Get off the Bus - Explore the Cloud TODAY!
By George Moberly
A year ago I attended a session at Cloud Expo in New York. The presenting company told the audience that “cloud exploration services” were now available. Enterprises could purchase these packaged services to discuss, probably at length, how to identify candidate applications for cloud usage.
I’ve been there and done that – as a former professional services manager for such a “Big 4” data center automation company, I’ve participated in many such “school bus” campaigns. Often the end result is that everything is said, and little gets done.
According to this philosophy, you can’t just go out and try the cloud for yourself – instead, professional services are needed, and plenty of them. After the expenditure of months of time and large sums of money, you might be lucky enough to get a report of some applications that would be suitable to move – to their specific cloud.
While this approach well serves the interest of the vendor, there is a better way.
The premise of the cloud is that there is almost no penalty for trying something and failing. Move some applications and try them out. You didn’t get the SLA or characteristics you were looking for? You’re only out a buck or two.
Of course the premise I’m making is that you don’t have to change anything in your services, applications, networking, or infrastructure to give this a try. I make the further premise that the cloud enablement software doesn’t require a services engagement to acquire, install, set up and configure, and manage operationally over time. This week, we made CloudSwitch available. Give it a try. You can acquire, install, configure, move and run your applications today. No services required. You point us to your virtual machines, our software will automatically show you if they fit in the cloud, and after we’ve transferred them to the cloud, they will look and feel just like they do now, running in your on premise virtualized infrastructure. No engineering. No changes. No agents. No “additions” to your servers. No funny installers.
All this said, there are physics involved. I recommend a simple process that will result in immediate positive results in selecting candidate applications to move and run in the cloud, as well as in the confidence that comes from a “real test” involving complex multi-tier applications which are tied to both premise-naming services and other network services that cannot be moved out of your data center.
For a first application, I suggest finding something that has servers with relatively small disks. Moving disks over the internet can take time. Some ideas include an internal project server running a program management application, Wiki, or SharePoint. Or perhaps a development environment for a JBOSS application, or anything else based on an open source stack. Move and run this, and run the same load testing or characterization/acceptance tests you use today, and see how they perform.
For a second application, I suggest taking the web and application tiers of the three-tier application and moving them, leaving the data tier on-premise. Leave your management agents on those servers, and leave them joined to the same domain if they are Windows servers, or using the same naming services. Don’t be concerned if the servers have NFS or CIFS mounts to on-premise NAS storage.
For a more in-depth test, go ahead and move development environments for applications such as PeopleSoft, Siebel, or SAP into the cloud and develop your applications there. Extra desktops for developers make a good initial application to move, as do development support servers such as continuous build, defect tracking, and source code repositories.
Our focus on providing a zero-friction, packaged appliance-based product makes this possible. Our automatic CloudFit process will tell you up front if your application will fit and run successfully in the cloud prior to incurring any cloud spend, and how much it will cost per hour to run.
Sign up for our Beta and move and run your first application in the cloud TODAY! School bus not included.
