July 2009 Archives

Articles and blog posts associated with security and cloud computing are a daily occurrence, unless some well-publicized breach occurs in the cloud.  At that point the number of commentaries and discussions will increase exponentially, and then, over the following week, return to normal frequency.  I decided to focus on security as it relates to cloud storage, to see if something really new and different is occurring, and if overall changes need to be contemplated, as it comes to classic data security activities.  When I focused in this way, I quickly discovered that not much has changed, and security of data in the cloud is highly dependent on the same precautions and understandings as security of your data in a private data center.

In this recent article, it was suggested that files of one owner residing on a physical device with the files of others could somehow result in unauthorized access. It could, and the answer to this and a myriad of concerns fits within traditional approaches and understandings of security.   For example, Mezeo encrypts all files prior to storage.  So, even if you somehow got access to another's file, it would do you no good.  My point is that the cloud introduces a few additional complications, but it is not a problem that the current level of speculation seems to portray it as.  An extension to typical security practices, diligence, effective execution and audit of your current practices is what is required.

With this underlying theme, we look at how best we can ensure the security of the data in the cloud. Let's look at five areas that you should consider in regards to storing data in the cloud.

1. Physical Security: First, understand some things about the data center that is hosting the cloud where your data is stored:

• Is the data center physically secure? 
  
• What about it's ability to withstand power outages? 
  
• For how long? 
  
• Are there multiple, independent (on different grids) electrical power paths? 
  
• How are communications facilities enabled and where does the fiber enter the facility?
  
• How many communications providers have a POP (point of presence) at the facility? 
  
• How is the data center certified (SAS 70 Type II)?  

World class data centers are expensive, and they are also well understood.  What is the tier rating of the data center? (Tier IV is best). Make sure you do business with a cloud storage service provider who makes use of such facilities.

2. Data encryption: Encryption is a key technology for data security.  Understand data in motion and data at rest encryption.  Remember, security can range from simple (easy to manage, low cost and quite frankly, not very secure) all the way to highly secure (very complex, expensive to manage, and quite limiting in terms of access).  You and the provider of your Cloud Storage solution have many decisions and options to consider.  For example, do the Web services APIs that you use to access the cloud, either programmatically, or with clients written to those APIs, provide SSL encryption for access, this is generally considered to be a standard.  Once the object arrives at the cloud, it is decrypted, and stored.  Is there an option to encrypt it prior to storing?  Do you want to worry about encryption before you upload the file for cloud storage or do you prefer that the cloud storage service  automatically do it for you? These are options, understand your cloud storage solution and make your decisions based on desired levels of security.

3. Access Controls: Authentication and identity management is more important than ever.  And, it is not really all that different.  What level of enforcement of password strength and change frequency does the service provider invoke? What is the recovery methodology for password and account name?  How are passwords delivered to users upon a change?  What about logs and the ability to audit access?  This is not all that different from how you secure your internal systems and data, and it works the same way, if you use strong passwords, changed frequently, with typical IT security processes, you will protect that element of access.

4. Service Level Agreements (SLA): What kind of service commitment is your provider willing to offer you? Are they going to be up 99.9% of the time or 99.99% of the time? And how does that difference impact your ability to conduct your business? What is the backup strategy that your cloud provider uses, and does it include alternative site replication?  Do they use one at all, or is backup something you have to provide for?  Is there any SLA associated with backup, archive, or preservation of data.  If your account becomes inactive (say you don't pay your bill), do they keep your data?  For how long?  Once again, realize that there are different services, with different features, at different costs, and you get what you pay for.

5. Trusted Service Provider: The trusted service provider is a critical link.  Unlike your in-house IT department, you are now putting your trust in a 3rd party.  You must feel confident that they will do what they say they will do.  Can they demonstrate that the safeguards they claim are indeed delivered?  What is their record?  Do you have a successful business relationship with them already, and if not, do you know of others who do?  Remember, are they in business to serve business, or is it simply another service that they offer, focused first on cost per gigabyte, versus service and support.  This is where many IT service providers have made their living, providing world class service and support, along with effective, efficient, low cost infrastructure.

So what has really changed? More than anything it is a heightened awareness of the need for security.  Security is delivered on a sliding scale, and the result you achieve is based on well understood principles.

Of equal interest are the legal implications associated with hosting your data at service providers.  You can extend the notion of security to access by various government entities, depending on where your data is hosted.  While the focus of this post has been associated with preventing unauthorized access, this is yet another consideration associated with where your data is stored. 

Sure, cloud storage requires that you add some additional and/or different considerations to your evaluation and monitoring process, like understanding your service provider versus your own IT department.  The IT Service Providers know and understand the importance of this. Most will step up and ensure that they deliver excellent service to you and become your long term Trusted Partners. Those that don't will fall by the wayside.

I'm continually surprised by how often I'm asked this set of questions:

• Won't cloud computing kill the hosting industry?
  
•  Don't Amazon Web Services, Google and Microsoft Azure pose a huge threat to hosters? 
  

The dreaded word "commoditization" often gets inserted, in an apparent attempt to convey impending doom.  And most people go on to ask if the adoption of SaaS delivery models for application software will cause customers to "bypass" co-location and hosting altogether as they subscribe to all their IT needs via SaaS providers (such as Google and Microsoft, for example).

These questions are not particularly bad.  In fact, it's plausible (but not likely) that the IT infrastructure world could evolve in this way.  What's surprising to me is the degree to which people are naturally inclined to buy into this view of the future, versus the contrarian and much more likely position that the onset of cloud computing will bolster the growth and good fortune of the hosting industry.

OK, I understand it won't be a bed of roses for hosters, particularly during the more turbulent phases of this transition.  And I know the road to cloud computing riches will be a rugged trail, likely littered with at least a few casualties.  But the idea that we will quickly shift into a winner-take-all scenario with only a few large providers of cloud computing infrastructure, and no room for anyone else to survive and thrive, overlooks a number of considerations that will play a prominent role in the next phase of growth in the hosting industry.

Will Amazon EC2 and S3, and Rackspace Cloudsites and Cloudfiles, take business away from traditional hosters?  Sure.  But this is not a zero-sum game. 

Few people focus on the prospect that the overall hosting pie might grow faster than the rate of cannibalization.  I think it will. Hosting is simply the future of IT infrastructure outsourcing, and cloud computing is the future of hosting.

How big is the IT outsourcing industry?  Gartner and IDC measure the industry in the hundreds of billions of dollars.  How big is the hosting industry?  Tier 1 Research measures it in the single-digit billions, orders of magnitude smaller than traditional outsourcing.  This means that, even in 2009, the vast majority of businesses are managing their IT infrastructure as they have in the past: on premise, in aging data centers (or, even worse, the server closet), with non-scalable non-automated support models, and without benefit of the economies of scale that a hosting provider can offer.  So before we assume Amazon will snuff out the hosting industry, shouldn't we first assume that a materially greater percentage of the business market will elect to move IT infrastructure "into the cloud" in the first place?  If so, then we must assume the hosting pie will continue growing at the expense of traditional IT infrastructure outsourcing.  And there is a lot of room to grow.



Regarding SaaS, clearly the SaaS model is here to stay.  But this doesn't mean hosting and co-location will be bypassed.  To the contrary, regardless of where application software runs (on the customer premise or in the service provider's data center), it has to run on IT infrastructure.  Managing IT infrastructure is complex and challenging, particularly in a multi-tenant service provider model.  Some SaaS companies will choose to take on this challenge themselves, and some of those SaaS companies might be successful with this strategy.  But it will be more common for SaaS providers to outsource the management of the IT infrastructure so that they can focus on their application software and customer service.  Companies like Google who bring both large-scale IT infrastructure as well as leading application software to the party will be the exception, not the rule.

As for cloud computing ... cloud processing solutions like Amazon EC2 and cloud storage solutions like Amazon S3 have kick-started the next generation of products that will be delivered by IT service providers, much in the same way Exodus and Digex gave birth to the co-location and managed hosting industries more than a decade ago.  The fact that Amazon was the first entrant to the cloud computing service provider market doesn't suggest everyone else should go home.  There will be abundant opportunities for service providers - especially hosters - to differentiate their offerings.  This industry is far from commoditized.

For example, one of the most compelling applications for cloud computing infrastructure is in the field of disaster recovery.  As Forrester's Stephanie Balaouras correctly states in Cloud DR Services are Real, a service provider that understands how to sell and deliver service to business customers (as hosters do today) can displace traditional disaster recovery solutions with better, cheaper and faster-to-provision DR services.

There are many more examples in addition to DR.  The point is, classic product management is needed: 

• What do business customers want? 
• How can we meet customer needs in the most scalable and cost-effective way? 
• At what price?
• Who makes the purchase decision? 
• Does the product require a consultative sale, or can it be purchased by anyone with a Web browser and a credit card? 

Hosters are accustomed to doing product management for business customers.  Amazon and Google may develop these skills too, but so far Amazon Web Services is basically raw infrastructure.  That appeals to some market segments, particularly developers, but not all segments.

There is a large window of opportunity for all progressive hosting companies - and many other types of managed services providers - to enter the cloud computing market.  Rackspace has already done it and is demonstrating success.  SoftLayer has recently launched their cloud computing and cloud storage products. Other hosting providers that target large enterprise customers are deploying cloud computing and virtualization technologies in ways that meet the needs of their customers. 

This is only the beginning. 

Amazon and Google are great companies, but they will not prevent the wave of hosting companies and MSPs from playing a major role in the movement of IT infrastructure from the corporate closet to the Cloud. 

The phrase “razor sharp focus” is a tired cliché in our field, but you have to hand it to Google. They have just announced a “two-click data migration tool which allows employees to easily copy existing data from Exchange or Outlook into Google Apps.”

By building a tool to make this migration a “point-and-click” experience, they are hastening the defection rate for businesses looking for an alternative to Microsoft’s office suite. What’s more, three service providers - NuVox, Netfirms and IKANO - have already begun offering this tool to their customer base.

Google Apps Sync, as the migration tool is called, has already been put to use at enterprises like Genentech and Avago. Here’s some compelling Google propaganda:

It’s a case-study in business model disruption. The cost? One-sixth the price of Microsoft.

Of course we’re still in the “early days” and the jury is still out. Microsoft will surely counter with Azure, but you can see why Ray Ozzie is worried.

For Google, on the other hand, the state of cloud computing is promising. They claim around 1.75 million companies are running Google Apps. The enterprise, as Gray noted earlier, is ready for Cloud Computing. And why is this?  We’ve mentioned the economics before, but here is Google’s take on the benefits of Cloud Computing.

Too many think of cloud storage as just another or the next type of storage.  As usual with this view, it is associated with a view that the "next" storage type is bigger, faster and cheaper.  Because each generation of storage is always bigger, faster and cheaper.  As such, proponents of this view generally believe that access via traditional approaches, like WebDAV, NFS, cifs and others, is a critical capability.  Some may even argue that Web Services APIs are not the critical differentiation of Cloud Storage.  We disagree.

Cloud storage is a radical change.  It enables new application types.  The critical capability for cloud storage is a Web services API access, revealing the full promise of SOA (Service Oriented Architecture).  Second, the services that are revealed by the API access go far beyond "put" and "get".  Anytime and anywhere access, tagging, sharing and collaboration, geo storage via a single namespace, and policy management of storage are some of the services that the new applications will expect to find in the storage clouds they chose.  Also, storing massive amounts of data in the cloud and having these services available to act on all the data is required.

Finally, traditional access serves a specific role, to get legacy applications connected to the cloud.  Why, so that their data can easily enter the cloud and immediately take advantage of Cloud Storage services.  That's the primary requirement for supporting traditional access.  So, if you are thinking your Cloud Storage choice is driven by traditional access requirements, you are viewing Cloud Storage via the lens of traditional storage types, and you may ultimately be disappointed with your decision.  If your selection of Cloud Storage is based on exposing your stored data to SOA and new services capability, with storage that is abstracted from processing, then you will have made the appropriate strategic decision.

So, the innovators dilemma, is the thought that traditional access to a big back store is the critical issue associated with Cloud Storage selection.  Second, that the evaluation point is traditional access, storage size and performance, at a new price point.  That is the traditional approach.  That is the next step, and traditional storage providers will push to make this the list of requirements for what you  should buy.  It is simply the next turn of the crank in the storage world, the next  evolutionary step in storage.  It is not Cloud Storage.  

That is the way storage was.  Cloud Storage is about SOA, Web services APIs and advanced services revealed by these APIs, delivered via an abstracted storage solution, over a network, at low cost, for a large amount of storage.  As new applications arrive on the scene, powered by Cloud Storage, this will rapidly signal that something fundamental has happened.  A new storage type, driving new and creative applications, will allow for the creativity and skill of application developers to economically deliver the next generation of capabilities.  These new applications will require Cloud Storage, and the advanced services the storage cloud can deliver.  If all you want is bigger, faster, cheaper, you can solve your problem without a cloud, but you can solve this same problem with a cloud, and prepare yourself, and your data, for the future.

ALSO: Download the Cloud Storage Toolkit for Service Providers >>

One of the interesting side effects of the rapid adoption of Cloud Computing by the enterprise is the impact this adoption will have on the design and delivery of IT service processes.

In his article Assessing cloud providers, Frank Ohlhorst reminds us that "moving to the cloud is primarily a business decision" dependent on the metrics of ROI (Return On Investment), performance, sustainability and suitability to task.

Managers, writes Ohlhorst, must be prepared to do the following:

- audit the target applications and business processes impacted to create a cost-benefit-risk analysis that compares a traditional client/server solution to a cloud-based solution.
- audit the cloud services provider, including an assessment of geographic redundancy, packet transport performance, latency and service guarantees.
- audit the business's own ISPs, including performance at connecting points, failover capabilities and guaranteed throughput rates to and from the cloud services provider.
- monitor and frequently evaluate service and performance elements.

Thus, Ohlhorst tells us, "one of the first steps for choosing a cloud service provider is to evaluate the level of service offered and the guarantees behind that service." His view is that the Service Level Agreements (SLAs) must be scrutinized under three specific lenses: data protection, continuity and costs.

While this is a traditional IT view, and seems quite logical, we disagree with his suggestion that IT Managers can turn to the Keynote Internet Testing Environment (KITE) and Internet Health Report to measure performance.

Why? Because these are uptime measures, not measures of service performance.

If you're familiar with ITIL V.3, you'll recognize this service model overview:



In the ITIL world, service management can be broken into the following components:

- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement

Traditional IT systems management thinking leads us to associate systems availability with service availability, so that if a network component is running normally, we assume that the services running across that network component are also running normally.

This is largely the view being taken by the traditional systems management companies. It is what we are seeing in announcements like this one from BMC Software and Amazon.com.

But the cloud service model is different, and - while it's great to see BMC extending its enterprise systems management platforms to incorporate Cloud infrastructure - Cloud computing brings about a different measure for service performance, best exemplified by a new breed of cloud computing management vendors like Nimsoft. Their view is as follows:

The "pay-as-you-go" nature of cloud computing breaks the link between component and service performance: typically, organizations pay for capacity or throughput, rather than specific components. Plus, the highly dynamic nature of the computing infrastructure that exists in the cloud makes traditional CMDB (or simple list) based systems management virtually impossible to implement. All the traditional server and network reporting that shows 99.999 up-time will become secondary and probably irrelevant for future service level management and reporting. What this means is that synthetic transaction monitoring--that is, generating, monitoring, and reporting on simulated service requests--will be of paramount importance.

This perspective puts an interesting twist on ITIL's IT Service Management model. Since there is no way to predict which cloud computing infrastructure components are accessible at any point in time, service delivery processes in the enterprise - and SLAs from cloud computing service providers - need to be all about service reliability rather than component reliability.  This is a paradigm shift. 

As we have written previously, cloud computing is unleashing the potential of SOA (Service Oriented Architecture) applications.  In a world of SOA applications running on Cloud infrastructure, the concepts of IT service delivery in the enterprise and SLAs from service providers will rest upon services and processes that can run on any infrastructure components within the cloud.  The notion of using discrete infrastructure components as the basis for measuring service quality goes away.  This is the philosophy of the new breed of cloud systems management providers: the focus of availability and performance measurement moves toward measuring the user experience.

And, as this transition comes about, what happens to CMDB-based systems management? How do we think about the CMDB when the management of these infrastructure parts is abstracted even further away from application peformance?  Does anyone see a new "cloud edition" of ITIL service delivery on the horizon?

Once again, there is an opportunity here for service providers to seize the initiative.

In a recent interview, Sajai Krishnan, CEO of Parascale, made some interesting observations about the needs of the cloud storage marketplace and how the offerings from Parascale met them.

Krishnan gives us his perspective of the cloud storage market and current opportunities in that space, primarily helping service providers build their own cloud storage offering to retain customers who might otherwise look to Amazon S3.

We welcome competition in this space.

While we agree with his assessment of the market, there are four claims that deserve a fact check:

CLAIM #1: ".. in terms of a cloud storage software solution, "pretty much" we are the only game in town"

That depends on how you define the phrase "pretty much." At Mezeo, we have focused on the service provider market from day one. And unlike Parascale, our software is in production with hosting providers - exhibit A: Softlayer.  Watch Softlayer CEO Lance Crosby discuss why he chose Mezeo >>

But don't take our word alone. Here's Simon Robinson, Research Director at the 451 Group:

Unlike the myriad other companies tackling this fragmented and nascent market, Mezeo is focusing its efforts on delivering a platform that enables service providers to deploy cloud storage services to their own customers. The company, which was created a year ago, already has engagements with several managed hosting service providers...

As it comes out of the gate with its first raft of cloud storage services, Mezeo simultaneously stresses that it's not another cloud storage services company. This may sound disingenuous, but on closer examination it's clear that there's a big difference between what the likes of ParaScale and EMC Atmos are doing and what Mezeo is offering. Ultimately, Mezeo is pretty much agnostic as to the specific flavor of storage; it's differentiation is its ability to help service providers quickly deploy a range of feature-rich storage services, adding value where none exists today, and utilizing incumbent capabilities where they do exist. With so much of the interest in cloud computing focused on service providers, we think Mezeo has emerged at the right time with a novel platform.

Download the full report at www.mezeo.com

-------

CLAIM #2: "...yes we do S3-type or REST protocols..."

NOT. ParaScale has no REST-style APIs. In fact, it is unclear if ParaScale is using any APIs at all.

-------

CLAIM #3: Krishnan claims his focus is on service providers

Not quite! If we examine ParaScale's pricing model, and listen to what he says, it's the same old CAPEX. 

The traditional "Pay-upfront" model is not cloud-friendly, while a "pay-per-use" model is. The major benefit of cloud storage is the economics of "pay-per-use," as we have stressed on this blog earlier.

Pay-up-front or pay-for-capacity (versus  pay-per-use) completely defies the economics of "Cloud Storage" which is all about "pay for use." Asking providers to have a cost model that is not aligned with their revenue model brings into question ParaScale's focus on and understanding of the service provider market.

-------

CLAIM #4: Krishnan states that hosting providers will have to deploy cloud storage solutions to take on Amazon S3 and Google.

There is one point we agree on: hosting providers will indeed have to deploy cloud storage solutions to take on Amazon S3 and Google. 

We have been blogging about this from the very beginning. Good to see Krishnan getting on board.

Here's to the competition. As the saying goes, let's stick to "just the facts!"

>> UPDATED: see Fact Checking the Fact Check

Many Cloud Computing pundits have predicted that the early adopters will be largely comprised of small and mid-sized businesses.

Some new data from Forrester suggests that won't be the case.  

According to Forrester's Frank E. Gillett in Conventional Wisdom Is Wrong About Cloud IaaS, one out of four large companies plan to use an external provider soon, or have already employed one.  Furthermore, we learn that 33 per cent of large companies plan to use a service provider for Infrastructure-as-a-Service, while just 24 per cent want to run their own "private" clouds.

Industry commentators are surprised by Forrester's findings.

Naysayer Bernard Golden writes that what he found most surprising was that more than one-third of both large and medium enterprise companies are ready to put enterprise applications into production in external cloud providers. He also notes "interest in production app placement in external clouds is nearly as high as for test/dev."

Mary Hayes Weier joins the chorus as well, and says that the Forrester report proves that "conventional wisdom is wrong."

The question is why.  Why are large companies challenging convention and turning to external service providers?

It's the economics.  We see that cloud computing brings a disruptive and liberating pricing model to infrastructure. Why sink capital costs into infrastructure when you don't have to?
The cloud brings game-changing pricing and service capabilities to disaster recovery, fault tolerance, geographic redundancy, and other solutions that until now have been prohibitively expensive to everyone except for the largest organizations in the world. And now even these large organizations are not about to look the other way. They are looking at ways to optimize their IT and improve their cash flow.  Why spend money up front when you can pay as you play?

Steve and I have been saying this all along, and now we're glad to see the evidence has reached the mainstream.

On this blog, we've talked about GE and Bechtel - and their enterprise level cloud computing plans. We've emphasized that it is the IT service providers who have the core competencies - the people and the ITIL processes to deliver the promise of cloud computing to the enterprise.  Enterprise hosting companies are already positioned to deliver cloud computing services to the enterprise market, and before long we think dedicated hosters who succeed in fully automating the purchase, provisioning and support of the physical/hardware layer (some would say, the commodity layer) will move up market in a Christensensian assault on the enterprise market.

As described by Nick Carr in The Big Switch, IT hosting is in the process of transforming to electric-utility-like status.  We will think of IT hosters as providing IT infrastructure as a service, and we will want to "plug in" to these providers as we plug in to the power grid today.