Enterprise
P2C: A Funny Thing Happened on the Way to the Cloud
Digg
Reddit
Delicious
StumbleUpon
Facebook
Twitter
LinkedIn
BuzzBy Ellen Rubin
As IT organizations move forward with their virtualization initiatives, consolidating operations and shrinking provisioning times, the cloud has come along as an even more compelling option. In the cloud, companies can build capacity on-demand without having to own or manage the computing infrastructure. As companies review their application portfolios, they’ve started to realize that many of their not-yet-virtualized apps could easily be run in the cloud. In particular, applications that are characterized by spikey, cyclical, or seasonal usage could benefit the most from the cloud’s economics and scalability — but a significant percentage aren’t even getting the benefits of virtualization.
So what’s the delay in going “P2V” (physical to virtual)? As with the cloud, virtualization has typically percolated from the bottom up. In many cases it crept into organizations, led by developers and technology evangelists who recognized the efficiency and cost advantages of virtualization and simply started using it. While many enterprise customers have started expanding their virtual footprints it can be a long and complex process. Although technically it’s quite easy to virtualize an application, using a number of well-known P2V tools such as VMWare Converter from VMware or Platespin (now owned by Novell), the harder part of the process is often agreeing which applications to virtualize and understanding the inter-dependencies between these apps and other data center services.
As corporate IT has slowly adopted virtualization as a strategic imperative, the cloud has come along with paradigm-changing flexibility and elasticity. We’re now seeing enterprise customers and prospects ask what they can do with applications that aren’t yet virtualized and are still sitting on dedicated servers, recognizing that the cloud is likely to be their ultimate home. Thus we’re seeing the emergence of a new model — “P2C” (physical to cloud), with virtualization in the data center becoming a stepping stone to the ultimate destination of the cloud. As discussed in a previous blog, the cloud has become a catalyst that is prompting companies to broaden their virtualization efforts.
Customers and prospects have told us that the P2C model is far preferable to simply performing a virtualization project in a vacuum and figuring out later which applications really belong in the cloud and how to get them there. In contrast, P2C is all about planning for the cloud from the outset, starting with virtualization and moving to the cloud as a natural progression. The P2C approach can also lead enterprises to alter their virtualization strategy compared to pure P2V. In some cases, they may want to use the cloud as a temporary home for applications that need to migrate between data centers, to support satellite offices or in the case of an acquisition. In other cases, they may keep the application permanently in the cloud and be able to budget for far fewer internal resources.
Thus, we encourage customers to consider P2C as a valuable strategy, since for many applications, the cloud will deliver far greater self-service and on-demand computing power than available internally. By planning for this ultimate goal and designing their infrastructure accordingly, customers can also potentially save a great deal of time and money. Ultimately, a single integrated environment will span the virtualized data center and multiple clouds, using the same tools and providing the same simplicity of experience. CloudSwitch is working with our customers and partners to make it easy to use the cloud, regardless of the starting point.
OpenStack - Advancing Cloud Computing in the Open
By John Considine
When Rackspace first started talking with me about open sourcing their cloud software, I was truly intrigued. The idea of releasing the software behind their cloud was unexpected given that most cloud providers treat their infrastructure, and particularly their control software, as a differentiator. One of the things that make the software so valuable is the hard earned lessons from building, scaling, and maintaining a cloud. An infrastructure that has actually been deployed and scaled to cloud size has real value to everyone trying to build a cloud. So when a company that has been in the cloud business for a long time in “cloud years” decides to open up and share their software, you have to stop and look.
Last week, Rackspace held an event that brought together a veritable who’s who in cloud computing “to validate the code and ratify the project roadmap”. The sheer size of the summit was a tribute to both Rackspace and those who are looking to advance cloud computing. What I found most interesting was the number of attendees that are potential competitors to Rackspace – other cloud providers or hosters looking at getting into cloud computing. Of course, open source means that anyone can use and improve the code, but the guys at Rackspace inviting these guys and them attending says a lot about the industry. When I talked to Lew Moorman and Jim Curry about this, they said it was simple; they want to compete in the cloud the same way they compete in their hosting business -- with their service. During the design summit, the Rackspace crew stated that they are going to do everything in the open; this means that they are going to put it all out there and not hold back certain pieces as private code. Given this, I really believe that they want to compete on their “Fanatical Support”.
Rackspace and NASA are teaming up to release the source code for implementing a cloud – Rackspace is providing their Cloud Files software for building a scalable object store system and NASA is providing their Nebula code for building a Cloud Server system. The developers from both Rackspace and NASA presented details about their software, lessons learned, and future directions, and then they turned to the attendees to solicit requirements and suggestions. Hot topics included APIs, controls and methods for distributing VMs into the cloud (scheduling), and Networking.
The OpenStack project will utilize the Rackspace API, but will also support API “extensions” so that a number of APIs can be added. It is no surprise that there was desire to support the Amazon API since it is already a “standard” of sorts, and is the primary API for NASA’s Nebula component. The question here is that if the OpenStack software supports multiple APIs for controlling the clouds, what is the true API, and how will OpenStack help drive standards if it supports multiple options?
A lot of companies out there are spending a lot of money and resources to build clouds, and the biggest are rather secretive about how they do it. This is a bold move by Rackspace, NASA, and all of those supporting the effort to drive a fully open project to build the clouds to compete against proprietary solutions. We look forward to more clouds to target both inside the enterprise and in the public domain because we believe that more options will help move everyone closer to a better way of computing – Cloud Computing.
Data Center in a Box
By Damon Miller
Years ago I had the privilege of helping to grow Bladelogic from early-stage startup to a profitable organization of over 300 people. In the early days one of my first challenges was figuring out how to show our product to prospective customers effectively. I needed to show our ability to manage a large IT infrastructure but I had to do so without actually dragging a data center to each of our sales calls. (My first attempt involved renting a fleet of trucks but visitor parking turned out to be a real challenge.) As I look back on that situation now, I realize that CloudSwitch offers a perfect solution to this “data center in a box” problem. In this article I’ll walk through the use case and describe a new CloudSwitch feature, Sample VMs, which makes this possible.
The first step toward a virtual data center is to use virtualization, of course. In late 2001 VMware released the third major version of their Workstation product. Given my demonstration requirement, I bought a copy of Workstation, found the biggest “mainstream” laptop available at the time, filled it with memory, and deployed as many VMs as it would run without completely falling over. Depending on the end user’s patience, that number was somewhere between four and six. While not exactly a world-class data center, the end result served us well for demonstration purposes. It was, however, limited in capacity, slow, expensive, and difficult to maintain.
In retrospect, what we really needed was a way to:
- Quickly start new servers and turn them off when finished;
- Use existing, internal virtual servers or public server images; and
- Connect to these servers as if they were on the local network.
Fast-forward nearly ten years and the first of these points—utility capacity on demand—is all but ubiquitous courtesy of providers like Amazon and Terremark. We of course know this as “the cloud” and companies use it every day for a variety of reasons. The second two points are more interesting.
Today’s cloud providers have implemented their platforms on a particular virtualization solution—and in many cases they’ve customized these solutions to suit the needs of their product offering. This is of course perfectly natural, however one practical effect is that end users cannot simply take their own virtual machines and expect to run them within a given cloud provider’s environment. The reasons vary—different virtualization solution, different underlying hardware, different capabilities—but the end result is always the same: cloud providers will not allow end users to upload custom VMs and run them. For this, CloudSwitch is needed.
One of CloudSwitch’s fundamental benefits is the ability to run customers’ virtual servers in whichever cloud provider is most appropriate, regardless of the underlying implementation details. After deploying our appliance, users can select virtual servers within their internal VMware environment and migrate them to a public cloud provider such as Amazon or Terremark without being forced to modify those servers in any way. No additional software or configuration change is required for this to work. Users literally “point and click” to migrate virtual servers from their data center into a cloud provider.
In many cases, users want to leverage the cloud but don’t want to migrate existing servers. CloudSwitch supports this approach as well. With the recent GA release, CloudSwitch allows customers to select from a set of public “Sample VMs” for access to cloud capacity. Customers can use these sample VMs for a variety of purposes—evaluation, production, or anything in between. Further, since these machines have already been moved into the cloud, starting them is quick and efficient. Current Sample VMs include a stock Centos 5.4 base image, SugarCRM, and BugZilla running on a Windows OS. We’re expanding the list of Sample VMs based on a range of customer use cases, and have plans to include many open source and partner products.
The final point—seamless connectivity—speaks to the way cloud providers offer connectivity to their instances. Today, each provider has chosen a particular network architecture for delivery of their services. For example, if you start a Linux instance in Amazon’s EC2 service and run “ifconfig eth0” you will likely see a 10.x.x.x IP address assigned to the interface. This is because Amazon has chosen the 10.0.0.0/8 private address space for connectivity to customer instances. Other cloud providers use different addressing schemes but regardless these are different and disconnected from what customers are using within their own data centers. Further, secure connectivity to these instances is not convenient and in many cases is not possible. CloudSwitch addresses this problem as well.
As part of the deployment process, CloudSwitch automatically creates a secure overlay network within the chosen cloud provider’s environment. This overlay network extends a customer’s internal data center into the cloud so the cloud-based servers are part of the customer’s data center network. When migrating existing servers into the cloud, end users see no difference; they can SSH or RDP to migrated instances without even realizing that their servers are no longer running within the data center.
So, CloudSwitch offers a way to leverage the power of the public cloud without forcing end users to change the way their infrastructure is configured. We also offer a set of sample content customers can use if they simply want to establish a footprint in the cloud without migrating existing servers. Finally, end users connect to cloud servers just as if they were running within the data center network. The implication for my “data center in a box” use case is probably obvious: I could have installed the CloudSwitch Appliance on my sales engineers’ laptops, created a set of demo servers in the public cloud, and used these for field sales activity. We would have saved money on the laptops but more importantly my team would have been more effective.
Ultimately the cloud is about better service delivery. Better can certainly mean less expensive but in my case better would have meant more effectively expressing the value of our product to prospective customers. Regardless of the definition, CloudSwitch offers a simple, secure, and effective way to leverage the cloud. Since the early startup days in 2001 my goal hasn’t really changed much; I still want the opportunity to show you how our product can make you more effective. The difference is I finally have my “data center in a box” to prove it to you (and I don’t have to take up all of your visitor parking spots).
Is Amazon the Official Cloud Standard?
By Ellen Rubin
The Structure 2010 show was memorable for CloudSwitch, highlighted by the launch of the commercial version of our CloudSwitch Enterprise software that lets companies easily use multiple cloud providers to run their enterprise applications. With a few clicks, users run their applications where they best fit, based on their specific business and technical criteria.
So it certainly got our attention when at the Hybrid Clouds panel, Marten Mickos, CEO of Eucalyptus Systems, made a claim that Amazon’s API should be the basis for an industry standard. Marten added that the industry should orient around Amazon’s approach much as IBM’s personal computer became the standard for the PC industry. (Generations of loyal Mac users are probably glad there was still room for alternatives!)
If there were an industry standard, Amazon certainly has a strong claim for it. They’re the clear leader, with technology second to none. They’ve made huge contributions to advance cloud computing. Their API is highly proven and widely used, their cloud is highly scalable, and they have by far the biggest traction of any cloud. So full credit to Amazon for leading the way in bringing cloud computing into the mainstream. But it’s a big leap from there to saying that Amazon should be the basis for an industry standard.
It’s clear to us that the enterprise market wants options, both to avoid being locked-in and because other cloud providers have much to offer. While Amazon delivers many great benefits, other cloud providers have differentiated based on compliance, service level agreements, dedicated environments, storage capabilities, connectivity options, and support. They’ve implemented their infrastructures and APIs around these areas of differentiation. They’re unlikely to want to adopt a general industry standard since in many ways this commoditizes what they’ve built and limits their innovation.
One of the problems with any cloud standard is that making it work is fraught with controversy and technical complexity. A cloud computing “standard” involves more than a single API or format; it includes a number of elements that together define how the cloud works. For Amazon, this includes the AMI virtual machine format, their EC2 API that defines cloud operations, as well as their storage APIs, which come in two flavors: S3 and EBS. Other clouds have their own set of APIs and formats, developed to reflect their infrastructure characteristics and needs of their target market. VMware, for example, has its vCloud API as well as its own physical machine description (VMX) and storage unit (VMDK). There’s a spectrum of technologies in play that cloud providers and enterprises would first have to agree to, and then do a lot of heavy lifting in order to comply. I have yet to see a compelling reason that would justify their time and cost.
Of course, Amazon isn’t actively promoting a standard, they’re just “doing their thing” — offering their cloud services to whoever is willing to pay for them, and continuing to innovate in the cloud. I suspect they’re content to leave well enough alone and let the market take its course, and we'll continue to see innovations in everything from billing to cloud infrastructure from them.
The irony behind this standards debate is that CloudSwitch technology makes it largely irrelevant. The days when using a cloud meant binding yourself to a provider’s proprietary architecture are over. Cloud providers can innovate for their market segments, and customers can choose the best solution without fear of lock-in. Why go backwards? CloudSwitch customers know better.
World Cup and the Cloud: The Case for Monitoring
By John McEleney
The World Cup is the world’s largest sporting event and this year’s extravaganza from South Africa has been exciting, but not without controversy. Any sports fan watching the recent match between England and Germany had to be frustrated to see English midfielder Frank Lampard’s goal clearly crossing the goal line, but without the referee awarding the goal. Where was the videotape? A simple review of a videotape could have prevented this miscall.
Fortunately the IT world has subscribed to the old adage, “you can’t fix what you can’t see.” For this reason, we have a plethora of tools and processes to help monitor networks, operating systems, applications, etc. These tools and processes are essential for IT operations teams to determine what’s wrong and pre-empt an even larger problem. In the IT world, it’s impossible to imagine how you would be able to run your operations without this monitoring capability.
Today the cloud is separate and distinct from your enterprise data center, but as the cloud becomes an integral part of the IT strategy, the big question is: how will people monitor their networks? Application performance? Operating systems? Undoubtedly, the existing monitoring players will try to “cloudify” their offerings – but will these really work? Are they extensible to the cloud?
At CloudSwitch, we are extending the enterprise data center to the cloud, so in effect the cloud is simply part of your infrastructure. The implications are profound:
- Your existing virtualized applications will work with no modifications
- Your connection to the cloud is encrypted and secure
- Your existing monitoring tools and processes will continue to work
While we can’t claim that we will be able to help FIFA resolve future World Cup disputes, we can help you monitor and examine your applications and networks in the cloud!
CloudSwitch Enterprise - Ready for Business
By the CloudSwitch Team
Today we launched the commercial version of our CloudSwitch Enterprise software at Structure 2010 in San Francisco. We’re ready for business and making our innovative software generally available. It’s an exciting moment for us, but it also reflects the evolution of the cloud industry.
Two years ago when we were just designing and envisioning our products, we realized that enterprises would want to use the cloud – it seemed inevitable to us that the cloud would dramatically change the way companies build and scale their applications. However, many early discussions tended to go as follows: “Are you thinking of using cloud computing?” “Um, what’s cloud computing?”
What a difference two years make. Not only do we not need to explain what cloud computing is anymore, but we’ve found that most of the companies who participated in our beta program were already planning, thinking, testing and evaluating their cloud strategies and architectures. As seen at the Structure show, an ecosystem of cloud providers has emerged, with offerings for public and private clouds, as well as a growing list of consulting and services firms to support cloud initiatives – and of course, a large and vibrant set of cloud management/enablement providers, including CloudSwitch.
In the past several months, we’ve tested our software with some of the leading enterprises at the forefront of the cloud world – brand-name companies as well as mid-tier organizations, all with exciting use cases that have taught us a great deal about customer requirements. Working with these innovators and seeing our software deployed and working at these customer sites has been a thrill, and we truly appreciate all the input and support. We’ve learned that customers want the agility and cost-effectiveness of the cloud, but need the critical CloudSwitch capabilities of full security and seamless portability between the data center and the cloud – across hypervisors and multiple cloud offerings.
So today we’re proud to announce that v1.0 of CloudSwitch Enterprise is ready for download. Try our 15-day free trial now and start running your applications in the cloud environment that’s right for you. Use your existing management tools and data center policies. CloudSwitch makes it easy with our enterprise-class features:
- Support for Amazon EC2 and Terremark’s VMware-based clouds (enabled through the vCloud API)
- Full encryption of data and communications through AES-256
- Role-based access controls for setting user/group permissions and controls
- Support for Windows and Linux-based applications
- Industry-first CloudFit™ for best fit of virtual instances into cloud resources
- Layer-2 bridge between data center and cloud environments
- API for programmatic control and integration into virtualized environments
To learn more about CloudSwitch Enterprise, please visit our updated product information. And if you’re still thinking about your cloud strategy, get started by downloading our always-free Explorer software for 1 user and up to 5 servers running in the Amazon EC2 cloud. Make the cloud part of your IT infrastructure today and see how simple and secure the cloud can be with CloudSwitch.
What IT Managers Should Learn from Public Clouds
By Ellen Rubin
Corporate computing is going through a fundamental shift — moving to a world that’s largely cloud-based, self-service, and highly virtual with shared resources. Rather than go through their IT departments like they have for decades, users will simply specify how many cloud servers they need and for how long, and provision their own resources with a few mouse clicks. I recently read an interesting post by Rodrigo Flores, observing that the growing acceptance of public clouds is also changing the role of corporate IT departments, and they’ll have to either adapt or die. I’d like to make a few suggestions about how they can adapt.
First of all, they need to face reality. IT is driven by the need for agility, elasticity and cost-efficiency, and that can be provided most effectively in the public cloud. A year or two ago, most pundits were saying that large-scale adoption was inevitable — now the transition is well underway. Individual users and departments are already making inroads into the cloud to take advantage of agility not available internally. In many cases they’re not waiting for permission or help from corporate IT— they’re moving ahead on their own.
The growing emergence of public clouds creates an alternative to the traditional data center, while lowering the costs of infrastructure services. As cloud computing takes hold, the impact can prove unsettling for corporate IT departments that find themselves increasingly evaluated against the fast service and flexibility provided by public clouds. How will corporate IT departments fit in? How can they maintain their relevance when users can simply go to the cloud and get the servers they need immediately, often with better service than is available internally?
Rather than viewing public clouds as a competitive threat, corporate IT should embrace cloud computing and recognize their new role — serving as a trusted broker for the resources that users need, whether in a public cloud or internally depending on where the application belongs. Corporate IT becomes a much more agile organization, leveraging public clouds and internal clouds within an integrated framework, and IT professionals providing the front-facing infrastructure and support services that make it work.
But corporate IT still has much to learn about how to design and support this new environment, with virtualization being only the first step. To gain this expertise, they need to look to the public cloud — Amazon, Terremark, Savvis, Rackspace, Microsoft, etc. The infrastructure and processes that cloud providers have created at tremendous effort and cost can provide a guide for how corporate IT departments are going to operate in the very near future. It’s an idea that hasn’t yet received much attention from industry observers, but we’ve been hearing it a lot lately from our customers, particularly those thinking strategically about the cloud.
Thus, corporate IT has another incentive (in case they needed one) to take the lead in moving their companies to public clouds. As they plan their own agile environments for internal users, public clouds are where they’ll learn the best practices needed to make it work:
- Building the self-service portal: Corporate IT will need to make self-service for computing resources as simple and robust as it is in the public clouds.
- Managing a multi-tenant environment: Cloud providers deliver rapid provisioning at low cost by supporting large numbers of users on a shared infrastructure. Corporate IT will need to replicate this environment, while providing mechanisms that allow applications to be moved out to a public cloud or back again.
- Scaling efficiently: Cloud providers use several different scaling techniques and policies to keep up with growing demands, and corporate IT can learn a great deal from them about how to make trade-offs and automate wherever possible.
To sum up, corporate IT should look to public clouds as their most valuable resource — often far more agile, elastic, and cost-effective than internal resources. They’re where many enterprise applications (perhaps the majority) will soon run. In addition to their inherent advantages, public clouds also have much to teach. The lessons will come in handy as IT departments discover their new strategic role as champions of a more agile corporate computing environment. CloudSwitch technology makes that new world much easier to build and manage, so corporate IT can drive innovation without losing the security and control they need.
Three Ways to Do Web Apps in the Cloud
By Ellen Rubin
Web apps were born to run in the cloud. With endless flexibility, on-demand scaling and great pricing, the cloud meets the business and technical needs of many enterprises’ web-based applications for e-commerce, collaboration, marketing, CRM and dozens of other functions. With their ‘spikey’ needs for compute resources around peak periods, web apps are often corporate data center hogs and/or hosted at colos and MSPs at high cost.
As we work with many enterprise customers, we consistently hear the desire to host web apps in the cloud to reduce data center costs, footprints and headaches. There seem to be three major use cases emerging in the cloud market, reflecting the ways in which specific web apps are architected, and the comfort levels of the customer in exposing some or all of their app stacks outside the corporate firewall:
- Build the entire web application to run in the cloud. Launch some raw servers in the cloud and create your application using simple templates so that all tiers (user-facing, business logic, and database) run in the cloud. If you are putting up a new public web site, this is a great way to get into the cloud, and is particularly useful if you do not need to access data or systems that already exist within your data center. Many new companies and start-ups already also use this approach since they don’t have any legacy infrastructure to integrate with!
- Move parts of the application to the cloud. Keep some of the app components internal and move others to the cloud. For example, put the user-facing portion of the application stack in the cloud for scaling and access by large numbers of users, and let it reach back to the data center to access your business logic and/or database tiers. Some of our customers put the user-facing and business logic in the cloud and reach back for the main database, while others put just the public access portions into the cloud. The key considerations are what kind of data the application needs to access, how much data is required, and the application’s sensitivity to latency between the tiers. If data is very sensitive, the pull is to keep it in the data center, but if the application is susceptible to database latency, the desire is to move data to the cloud to be near the computation servers. Even when all tiers are moved to the cloud, there is often a need to access data center resources (for management, user validation, or ancillary data).
- Use the cloud for peak-period scaling. This approach involves scaling portions of the web application into the cloud during peak periods, such as for a Mother’s Day sale or when the tax filing deadline approaches. Based on a peak-workload trigger, move base images of the app into the cloud and let them scale away. Add the new cloud resources to your load balancers to keep response times low during peak usage. When you need occasional access to massive compute resources, the cloud provides a great alternative to buying and maintaining expensive equipment. The cloud essentially becomes an extension of your data center for on-demand scenarios.
Which of these approaches will work best for you? Many enterprises are testing more than one approach with different web applications as they define their cloud strategies. CloudSwitch technology lets you get started now with no risk, moving applications (or selected portions) to the right cloud, and keeping cloud resources in seamless integration with your data center. Put your web apps where they belong and free yourself from endless infrastructure heavy-lifting.
Private Clouds: Old Wine in a New Bottle
By John McEleney
I recently read a Bank of America Merrill Lynch report about cloud computing, and they described private clouds as "old wine in a new bottle." I think they nailed it!
The report points out that a typical private cloud set-up looks much the same as the infrastructure components currently found in a corporate data center, with virtualization added to the mix. While the virtualization provides somewhat better server utilization, the elasticity and efficiency available in the public cloud has private clouds beat by a mile.
In short, the term "private cloud" is usually just a buzzword for virtualized internal environments that have been around for years. By replicating existing data center architectures, they also recreate the same cost and maintenance issues that cloud computing aims to alleviate.
Despite their limitations, there is still a lot of industry talk about creating internal private clouds using equipment running inside a company’s data center. So why do people consider building private clouds anyway?
To answer this question, you have to step back and examine some of the fundamental reasons why people are looking to cloud computing:
- The current infrastructure is not flexible enough to meet business needs
- Users of IT services have to wait too long to get access to additional computing resources
- CFOs and CIOs are tightening budgets, and they prefer operational expenses (tied directly to business performance) vs. capital expenses (allocated to business units)
In every case, the public cloud option outperforms the private cloud. Let’s examine each point:
- Flexibility – the ability to access essentially unlimited computing resources as you need them provides the ultimate level of flexibility. The scale of a public cloud like Amazon’s EC2 cannot possibly be replicated by a single enterprise. And that’s just one cloud – there are many others, allowing you to choose a range of providers according to your needs.
- Timeframes – to gain immediate access to public cloud compute resources, you only need an active account (and of course the appropriate corporate credentials). With a private cloud, users have to wait until the IT department completes the build out of the private cloud infrastructure. They are essentially subject to the same procurement and deployment challenges that had them looking at the public cloud in the first place.
- Budgets – everyone knows that the economic environment has brought a new level of scrutiny on expenses. In particular, capital budgets have been slashed. Approving millions of dollars (at least) to acquire, maintain and scale a private cloud sufficient for enterprise needs is becoming harder and harder to justify — especially when the "pay as you go" approach of public clouds is much more cost-effective.
There are many legitimate concerns that people have with the public cloud, including security, application migration and vendor lock-in. It is for these reasons and more that we created CloudSwitch. We’ve eliminated these previous barriers, so enterprises can take immediate advantage of the elasticity and economies of scale available in multi-tenant public clouds. Our technology is available now, and combines end-to-end security with point-and-click simplicity to revolutionize the way organizations deploy and manage their applications in public clouds.
Sir Isaac Newton may not have dreamed about clouds, but his first Law of Motion, "a body at rest tends to stay at rest", has been a good harbinger of cloud adoption until now. It is fair to expect that people will grasp for private clouds simply because it’s more comfortable (it’s the status quo). However, the rationale for public cloud adoption is so compelling that a majority of organizations will choose to embrace the likes of Amazon, Terremark, and other clouds. As adoption increases, private clouds will be used only for select applications, thus requiring far fewer resources than they currently demand. We’re also seeing the emergence of “hybrid” clouds that allow customers to toggle compute workloads between private and public clouds on an as-needed basis.
In the end, we will have new wine and it will be in a new bottle. With CloudSwitch technology, 2010 is shaping up to be a great vintage.
Cloud Computing Compliance: Exploring Data Security in the Cloud
By Guest Author, David Mortman
David Mortman, Director of Operations and Security at C3 and former CISO at Siebel Systems, has a proven track record in leading security teams and setting security strategy at several companies, including C3, Siebel Systems, Network Associates, Securosis and Echelon One. David is a regular presenter at RSA and Black Hat and has also presented at SOURCE Boston, Information Security Decisions and the CSO World Congress.
Amid an ever-increasing bevy of regulations that enterprises need to worry about -- from SOX and PCI DSS to HIPAA/HITECH and the FTC's Red Flags Rules -- and a growing number of cloud service providers to choose from, enterprises have a lot of options and a lot of questions to consider concerning cloud computing compliance.
While migrating services to the cloud may provide many benefits, it does not absolve an enterprise of certain responsibilities. Most notably, the enterprise is still required to remain compliant with the assorted regulations and laws that it would fall under had it retained that service inside the company.
In some cases, as with PCI DSS, there is definite potential to reduce a company's compliance scope by outsourcing certain services. Most notably, by wholesale outsourcing the credit card processing to a third-party provider, an organization's PCI scope will be significantly smaller (though not go away completely). With the FTC's Red Flags Rules, however, that is not the case, as the FTC has mandated that any outsourcing must entail equivalent or better security than the enterprise would have implemented internally.
As you start to investigate moving services to the cloud, it's important to ask several cloud computing compliance questions:
- Does this data that will be moving to the cloud fall under any compliance-related regulations or requirements? This includes data such as Personally Identifiable Information (PII), Personal Health Information (PHI), or corporate finance-related information.
- If the answer to question one is yes, which regulations does it fall under and what controls are necessary?
- Can the cloud provider actually offer the identified or equivalent controls that your organization's data requires?
- Does the cloud provider have the necessary policies, processes and procedures to properly maintain those controls?
- Does the provider have appropriate disaster recovery and business continuity processes to meet your organization's business needs?
- What happens if the cloud provider goes bankrupt? Can the enterprise's data be sold to a creditor or at auction as a provider's asset?
- Should I decide to change providers, is there an easy way to export my data in a useable format?
- Is the provider willing to alter its default terms of service in order to guarantee or provide service level agreements (SLAs) around questions 3-7?
That last question is particularly important, as many cloud providers refuse to use anything other than their default contract language. As a result, they have effectively eliminated themselves from being potential providers of compliance data-related services. Several of the compliance regulations, most notably HIPAA/HITECH and the FTC Red Flags Rules, specifically mandate that an enterprise must have contracts with its service providers mandating appropriate controls, processes and procedures in accordance with each regulation's guidelines.
Similarly, if the providers can't meet the requirements of questions 3-7, they should also be eliminated from contention for your company's business. Lack of ability to meet requirements is a problem especially when it comes to PCI DSS and HIPAA/HITECH. Thus, you will quickly find that your options for cloud service providers are limited -- at least in the short term -- though rumor has it that several of the larger cloud providers are working on retooling their systems to meet these compliance needs. There are a handful of cloud providers on the healthcare side that have built applications specifically to meet the needs of the healthcare industry, but I have not yet seen any security evaluations of these applications to determine their effectiveness.
In the meantime, I recommend passing the above questions to providers that you're evaluating, much like you would pass them a request for information (RFI )for any other outsourcing project, and then choose the provider that can best meet your needs.
Alternately, if none can, investigate ways of removing or obfuscating the relevant data (such as hashing or encrypting information prior to moving it to the cloud), so your organization can still get the business benefits of the cloud.
Hear more from David Mortman in this recorded CloudSwitch webinar:
Title: “How to Secure the Public Cloud for the Enterprise: Making the Public Cloud Work Like a Private Cloud”
WATCH ON DEMAND >
