cloud providers
A Cloud Security Bill of Rights
Digg
Reddit
Delicious
StumbleUpon
Facebook
Twitter
LinkedIn
BuzzBy Dave Armlin, Director of Customer Support at CloudSwitch
Cloud security remains a top concern for enterprise cloud deployments. Unresolved policy and control issues make it difficult to meet the requirements of corporate security and networking teams. As a result, we frequently hear from our customers that they assume they can only put the lowest-risk data and applications into the cloud – or that their cloud projects are on hold till the security issues get resolved. This is a major limitation for cloud adoption, often creating a false belief that the cloud only works for apps “that don’t matter,” or for companies who are willing to take risks.
Customers Have the Right to Demand More
We believe that customers have the right to demand more from the cloud industry when it comes to security. They know the levels of security needed across the range of apps and data in their portfolios. And they shouldn’t have to settle for anything less than the security and control they’ve put in place internally.
Here’s what customers have the right to expect regarding cloud security:
- The right to control their data: In the shared environment of the cloud, customer data needs to be protected from unauthorized access at all times, and must be off limits to cloud providers and their technology partners. This means that data needs to be encrypted end to end, from inside the corporate firewall, across the Internet, and within the cloud — in storage, during processing, and in transit through the cloud network. The cloud should be a seamless extension of the customer’s IT environment, while the cloud provider sees only an encrypted connection running into its virtual servers and storage.
- The right to own their encryption keys: The biggest encryption challenge in the cloud involves managing the encryption keys used to decrypt data. The standard practice of storing the keys in the cloud and exposing them to the cloud provider greatly reduces the effectiveness of encrypting the data in the first place. Storing keys in virtual storage alongside the data also defeats much of the protection since if someone gains access to the disk, they will have both the data and the keys needed to access it. Thus the control of the encryption keys need to stay with the customer at all times, with keys delivered securely to the virtual machines in the cloud only when needed to decrypt the data for processing.
- The right to their access policies: For many enterprise applications, the only way to use the cloud safely is for the customer to use their own security policies and remain in control of them in the cloud. System administrators already have controls in place, typically with Active Directory, and use Role-Based Access Control (RBAC) to define users, groups, and roles to control access to applications and computing resources. A customer should be able to extend the internal security policies out to the cloud, so roles and permissions are consistent regardless of where a workload runs.
- The right to their network services: Every enterprise has a unique network infrastructure and configuration settings for providing connectivity between servers and applications. This includes a combination of things like addressing, related services (DHCP/DNS), identity and directory services (LDAP/Active Directory), WAN optimizers, load balancers, and firewalls. Cloud providers have completely different network architectures designed to support their multi-tenant environments. Customers should be able to choose whether they want to use the cloud provider’s network services or extend the products they’ve already put in place internally (many of which are now available in the cloud as virtual appliances).
- The right to their compliance processes: If the business depends on the ability to demonstrate compliance with government or industry regulations, the customer already has proven processes in place. Customers should be able to extend those compliance processes into the cloud, rather than be required by the cloud provider to adopt a whole new set of guidelines and procedures.
- The right to put their data where they want: Often, data must legally reside in specific geographic locations (e.g., EU, Canada), but the rest of the app tiers can be located wherever makes sense for performance and latency reasons. Customers should be able to put their data in the most suitable environment and move it when needed, whether to a preferred cloud or back to the data center, without being constrained by a particular cloud platform or technology stack. Applications should be able to run across multiple networks, geographic locations and computing environments, tying back seamlessly to processes running in the data center.
For Cloud Providers, It’s Time to Step Up
Making these rights available to cloud customers is not easy; otherwise cloud providers would have done it already. But if customers don’t set their standards high, they’ll start making compromises, either in the level of security they’re willing to accept or the types of workloads they’re willing to put in the cloud. For their part, cloud providers and their technology partners need to give customers the same security and control they already expect internally so they can use the cloud without risk and without constraints. Customers have the right to demand a safe environment for their apps and data — when the cloud industry can deliver it, everybody wins.
IAAS and PAAS: Getting Closer all the Time
By John Considine
Happy New Year! In this first post of 2011, I’d like to explore one of the primary ways the cloud landscape is evolving. Two of the pillars of cloud computing, Infrastructure as a Service (IAAS) and Platform as a Service (PAAS), are showing some interesting trends as cloud providers adapt to meet the needs of their customers. Over the coming year, we may see these familiar models evolving into something new since the ideal solution for most enterprises is not one approach or the other but some combination of both.
Traditionally these two methods of cloud computing have been quite distinct. Infrastructure as a Service providers like Amazon EC2, Terremark, and Savvis promise to remove the burden of managing physical infrastructure — everything from server installation and support to network and storage infrastructure build-out and management. Platform as a Service offerings like Force.com, Google App engine, and Microsoft’s Azure provide these benefits of IAAS in addition to offloading management of the underlying system and application software. Operating system software, core services, and even high level application building blocks are managed by the provider, freeing users from worrying about things like patching, updates, core application configuration and management.
Many feel that IAAS does not go far enough to eliminate the unnecessary overhead of managing common software components. Significant effort is involved in managing operating system lifecycles and common software components, and the PAAS supporters are pushing for cloud computing to eliminate this wasteful effort.
PAAS also has its downsides, particularly transition costs and vendor lock-in. In order to transition your workloads into PAAS, you have to adopt and design for the specific offering that the PAAS provider has created. This creates the potential for vendor lock-in because your new applications are using the specific services built by your PAAS provider, and you are unlikely to find the same services from another vendor.
We have found that enterprises are using all forms of cloud computing, from SAAS offerings like Salesforce to PAAS offerings from Microsoft to IAAS from Amazon. Within any given enterprise, there are multiple groups, departments, and users that have specific problems and are seeking solutions wherever they can find them. For example, business users in the organization are turning to SAAS to solve their customer management and collaboration, while developers are building new solutions on the PAAS platforms to speed development, and IT ops teams are utilizing the rapid provisioning and scalability of IAAS to get their work done. It is perhaps the pressure to provider broader solutions for these organizations that is leading to some interesting changes in the services offered by IAAS and PAAS cloud providers.
From IAAS providers, we’re seeing a trend to offer more PAAS services. This is apparent in Amazon’s offerings as they add services such as Relational Database Service (RDS) and Elastic MapReduce (Hadoop) to their SimpleDB and Simple Queue Service (SQS). These higher level services extend beyond simple IAAS into the realm of PAAS since they are not plain virtual machines but full services managed by Amazon. They carry all the benefits and disadvantages of PAAS offerings, with the interesting characteristic of being integrated as part of the overall Amazon solutions.
At the same time, we are seeing a new offering from Microsoft on their Azure platform, the VM Role. This soon to be released offering from Microsoft extends the PAAS nature of Azure into the IAAS realm. Now the customer can control all aspects of instances in Azure including all OS configurations and settings. Of course, this carries the downsides of IAAS as well, in that the customer must now completely manage the OS and applications.
These two providers give us insight to how the market is evolving — IAAS and PAAS are converging as vendors in each space adopt characteristics of the other. This convergence makes a lot of sense since enterprises want just as much control as they really need and the ability to offload work to a provider whenever feasible. In cases where they need to control the entire environment, they want low-level control. This is good news for both providers as well as customers because providers can offer value-added services that are “sticky” for their customers, while different groups within a given enterprise can choose the level of service they want, from fully-managed to completely controllable, now perhaps from the same provider.
As IAAS and PAAS morph into a converged model, CloudSwitch provides the position independence and flexibility that allow enterprises to take advantage of this evolving market without having to adapt to each cloud provider. By making the entire application stack (or selected portions of it) completely portable, from low level infrastructure to high level application control, customers can run their applications where it makes sense, with the management capabilities they need. It’s all about giving customers the choices they want, without risk of lock-in.
Data Center in a Box
By Damon Miller
Years ago I had the privilege of helping to grow Bladelogic from early-stage startup to a profitable organization of over 300 people. In the early days one of my first challenges was figuring out how to show our product to prospective customers effectively. I needed to show our ability to manage a large IT infrastructure but I had to do so without actually dragging a data center to each of our sales calls. (My first attempt involved renting a fleet of trucks but visitor parking turned out to be a real challenge.) As I look back on that situation now, I realize that CloudSwitch offers a perfect solution to this “data center in a box” problem. In this article I’ll walk through the use case and describe a new CloudSwitch feature, Sample VMs, which makes this possible.
The first step toward a virtual data center is to use virtualization, of course. In late 2001 VMware released the third major version of their Workstation product. Given my demonstration requirement, I bought a copy of Workstation, found the biggest “mainstream” laptop available at the time, filled it with memory, and deployed as many VMs as it would run without completely falling over. Depending on the end user’s patience, that number was somewhere between four and six. While not exactly a world-class data center, the end result served us well for demonstration purposes. It was, however, limited in capacity, slow, expensive, and difficult to maintain.
In retrospect, what we really needed was a way to:
- Quickly start new servers and turn them off when finished;
- Use existing, internal virtual servers or public server images; and
- Connect to these servers as if they were on the local network.
Fast-forward nearly ten years and the first of these points—utility capacity on demand—is all but ubiquitous courtesy of providers like Amazon and Terremark. We of course know this as “the cloud” and companies use it every day for a variety of reasons. The second two points are more interesting.
Today’s cloud providers have implemented their platforms on a particular virtualization solution—and in many cases they’ve customized these solutions to suit the needs of their product offering. This is of course perfectly natural, however one practical effect is that end users cannot simply take their own virtual machines and expect to run them within a given cloud provider’s environment. The reasons vary—different virtualization solution, different underlying hardware, different capabilities—but the end result is always the same: cloud providers will not allow end users to upload custom VMs and run them. For this, CloudSwitch is needed.
One of CloudSwitch’s fundamental benefits is the ability to run customers’ virtual servers in whichever cloud provider is most appropriate, regardless of the underlying implementation details. After deploying our appliance, users can select virtual servers within their internal VMware environment and migrate them to a public cloud provider such as Amazon or Terremark without being forced to modify those servers in any way. No additional software or configuration change is required for this to work. Users literally “point and click” to migrate virtual servers from their data center into a cloud provider.
In many cases, users want to leverage the cloud but don’t want to migrate existing servers. CloudSwitch supports this approach as well. With the recent GA release, CloudSwitch allows customers to select from a set of public “Sample VMs” for access to cloud capacity. Customers can use these sample VMs for a variety of purposes—evaluation, production, or anything in between. Further, since these machines have already been moved into the cloud, starting them is quick and efficient. Current Sample VMs include a stock Centos 5.4 base image, SugarCRM, and BugZilla running on a Windows OS. We’re expanding the list of Sample VMs based on a range of customer use cases, and have plans to include many open source and partner products.
The final point—seamless connectivity—speaks to the way cloud providers offer connectivity to their instances. Today, each provider has chosen a particular network architecture for delivery of their services. For example, if you start a Linux instance in Amazon’s EC2 service and run “ifconfig eth0” you will likely see a 10.x.x.x IP address assigned to the interface. This is because Amazon has chosen the 10.0.0.0/8 private address space for connectivity to customer instances. Other cloud providers use different addressing schemes but regardless these are different and disconnected from what customers are using within their own data centers. Further, secure connectivity to these instances is not convenient and in many cases is not possible. CloudSwitch addresses this problem as well.
As part of the deployment process, CloudSwitch automatically creates a secure overlay network within the chosen cloud provider’s environment. This overlay network extends a customer’s internal data center into the cloud so the cloud-based servers are part of the customer’s data center network. When migrating existing servers into the cloud, end users see no difference; they can SSH or RDP to migrated instances without even realizing that their servers are no longer running within the data center.
So, CloudSwitch offers a way to leverage the power of the public cloud without forcing end users to change the way their infrastructure is configured. We also offer a set of sample content customers can use if they simply want to establish a footprint in the cloud without migrating existing servers. Finally, end users connect to cloud servers just as if they were running within the data center network. The implication for my “data center in a box” use case is probably obvious: I could have installed the CloudSwitch Appliance on my sales engineers’ laptops, created a set of demo servers in the public cloud, and used these for field sales activity. We would have saved money on the laptops but more importantly my team would have been more effective.
Ultimately the cloud is about better service delivery. Better can certainly mean less expensive but in my case better would have meant more effectively expressing the value of our product to prospective customers. Regardless of the definition, CloudSwitch offers a simple, secure, and effective way to leverage the cloud. Since the early startup days in 2001 my goal hasn’t really changed much; I still want the opportunity to show you how our product can make you more effective. The difference is I finally have my “data center in a box” to prove it to you (and I don’t have to take up all of your visitor parking spots).
What IT Managers Should Learn from Public Clouds
By Ellen Rubin
Corporate computing is going through a fundamental shift — moving to a world that’s largely cloud-based, self-service, and highly virtual with shared resources. Rather than go through their IT departments like they have for decades, users will simply specify how many cloud servers they need and for how long, and provision their own resources with a few mouse clicks. I recently read an interesting post by Rodrigo Flores, observing that the growing acceptance of public clouds is also changing the role of corporate IT departments, and they’ll have to either adapt or die. I’d like to make a few suggestions about how they can adapt.
First of all, they need to face reality. IT is driven by the need for agility, elasticity and cost-efficiency, and that can be provided most effectively in the public cloud. A year or two ago, most pundits were saying that large-scale adoption was inevitable — now the transition is well underway. Individual users and departments are already making inroads into the cloud to take advantage of agility not available internally. In many cases they’re not waiting for permission or help from corporate IT— they’re moving ahead on their own.
The growing emergence of public clouds creates an alternative to the traditional data center, while lowering the costs of infrastructure services. As cloud computing takes hold, the impact can prove unsettling for corporate IT departments that find themselves increasingly evaluated against the fast service and flexibility provided by public clouds. How will corporate IT departments fit in? How can they maintain their relevance when users can simply go to the cloud and get the servers they need immediately, often with better service than is available internally?
Rather than viewing public clouds as a competitive threat, corporate IT should embrace cloud computing and recognize their new role — serving as a trusted broker for the resources that users need, whether in a public cloud or internally depending on where the application belongs. Corporate IT becomes a much more agile organization, leveraging public clouds and internal clouds within an integrated framework, and IT professionals providing the front-facing infrastructure and support services that make it work.
But corporate IT still has much to learn about how to design and support this new environment, with virtualization being only the first step. To gain this expertise, they need to look to the public cloud — Amazon, Terremark, Savvis, Rackspace, Microsoft, etc. The infrastructure and processes that cloud providers have created at tremendous effort and cost can provide a guide for how corporate IT departments are going to operate in the very near future. It’s an idea that hasn’t yet received much attention from industry observers, but we’ve been hearing it a lot lately from our customers, particularly those thinking strategically about the cloud.
Thus, corporate IT has another incentive (in case they needed one) to take the lead in moving their companies to public clouds. As they plan their own agile environments for internal users, public clouds are where they’ll learn the best practices needed to make it work:
- Building the self-service portal: Corporate IT will need to make self-service for computing resources as simple and robust as it is in the public clouds.
- Managing a multi-tenant environment: Cloud providers deliver rapid provisioning at low cost by supporting large numbers of users on a shared infrastructure. Corporate IT will need to replicate this environment, while providing mechanisms that allow applications to be moved out to a public cloud or back again.
- Scaling efficiently: Cloud providers use several different scaling techniques and policies to keep up with growing demands, and corporate IT can learn a great deal from them about how to make trade-offs and automate wherever possible.
To sum up, corporate IT should look to public clouds as their most valuable resource — often far more agile, elastic, and cost-effective than internal resources. They’re where many enterprise applications (perhaps the majority) will soon run. In addition to their inherent advantages, public clouds also have much to teach. The lessons will come in handy as IT departments discover their new strategic role as champions of a more agile corporate computing environment. CloudSwitch technology makes that new world much easier to build and manage, so corporate IT can drive innovation without losing the security and control they need.
Holiday Presents from the Cloud
As the year winds down, there are a few things I have come to expect: holiday parties, snow, and new features from cloud providers. This year exceeded all of my expectations, starting with a note in early December from our friends at Terremark letting us know that they have fixed their Windows pricing for cloud servers. Until this upgrade, if you started a Windows server in their cloud, you had to pay for a whole month of Windows licensing ($30-$100 depending on the version) no matter how much you used the server. This was rather un-cloudlike, where we want to only pay for what we use. With this new feature, running Windows in Terremark’s cloud only costs a few cents per hour (Linux cost + 20%).
Then came the snow—I live in New Hampshire, and on December 9th we received a foot of new snow to really get the season going. The very next day, Amazon made a big flurry of announcements—support for Windows 2008, the ability to boot from EBS, and the new US region US-West1.
Each of these features means big things for Amazon and for cloud users. First, support for Windows 2008 is a longstanding request from Amazon users. I think that Amazon was held back from supporting W2K8 because of the design of their boot volumes, which needed to be copied out of S3 into the local storage instance in order to boot the operating system. As the boot volume grows, the amount of resources consumed and the boot time of the servers grows significantly, withW2K8 requiring more than 10GB by default. In order to support W2K8, Amazon required another technology advance to make it possible—booting from EBS snapshots.
Perhaps the biggest problem enterprise users had with Amazon was the lack of persistent storage for boot volumes. Amazon has now created a way for users to build persistent boot volumes, coming up to parity with competitors on this feature. Sure, it’s a little different from how enterprises normally think about storage and configure boot volumes, but the ability to use EBS volumes for booting eliminates the window for data loss that most users had to contend with in the original boot methods. (This feature is not huge for CloudSwitch customers because we have always supported booting from EBS as part of our products; however, we can take advantage of this feature to improve boot times for servers in Amazon.)
Another major Amazon announcement is the new west coast region. Many of CloudSwitch’s early customers (not to mention our own development activities) are based on the east coast, so EC2’s primary location has been a good fit for us. Things only improved with the introduction of the Europe region since we have seen a lot of interest for European resources for both locality and compliance reasons. However, for west coast customers, having to hop across the whole country to access your cloud resources was less than ideal. Now these companies have local resources to target, but more important, this ongoing expansion shows that the public cloud is doing well. The addition of US-WEST1 and the soon-to-open Asia region reflect just how quickly the public cloud is growing and how hard Amazon is driving it.
The news from Amazon comes on top of what was already an outstanding year for cloud computing with major announcements from many key players, including: IBM software running in the cloud, new VMware-based public clouds, reduced pricing for servers and storage in the cloud, and Microsoft’s Azure gaining momentum. Each of the cloud providers is growing and maturing its cloud offerings, and we are reaching a tipping point where there are multiple clouds with sufficient features to support enterprise workloads. Get ready for 2010—it’s going to be an exciting year as large-scale enterprise cloud computing takes off.
Moving to the Cloud: What's Really Required
When we started talking with a wide range of IT managers and companies in early 2008, we quickly encountered a fascinating dichotomy – Cloud Computing is really easy / Cloud Computing is really hard. What made this so interesting is that the casual users were saying cloud computing was easy and the hard-core users were claiming that it was hard. Amazon and a number of other cloud providers have made major advancements since this time, but the “it’s easy / it’s hard” split still exists.
Today, if you want to use the cloud and deploy a server, it is really quite easy to “build” a server from the base templates offered by the cloud providers. There are consoles available to launch servers including providers' control panels (Amazon, RackSpace, Terramark), plug-ins for Firefox (ElasticFox), and third party products like RightScale. Start from a predefined image, add your edits, and poof – you have a server running in the cloud.
It becomes a lot more complicated when you try to integrate an application with multiple servers running in the cloud with your existing data center infrastructure. When I say infrastructure, I mean all of your existing networking, services (DNS, DHCP, LDAP, Identity), build processes, third party applications; basically, the whole of your IT environment that you depend on to make things work.
When you deploy applications in the cloud, they are running on an infrastructure built and maintained by the cloud provider. This means that there is a certain amount of control that is transferred to the provider –the underlying control and assignment of resources they require in order to manage their environment. You need to understand this new environment, select the appropriate resources, and adapt your application to it. But moving an application that’s been running in your enterprise infrastructure, with all its associated processes and relationships, to a cloud provider that has its own way of doing things is where using the cloud gets hard.
To highlight some of the difficult areas, we’ll examine a set of issues across a variety of cloud providers out there. Because there’s a lot of ground to cover, I’ll break up the posts into multiple parts dealing with storage, networking, management, performance, and security. We’ll start with storage since it represents the real identity of the server and all that is important to your application and business. Stay tuned.
Next: Key considerations for cloud storage
