Recently in The Personal Cloud Category

A recent report by Forrester's Andrew Reichman titled Business Users Are Not Ready For Cloud Storage: Current And Planned Adoption Of Storage-As-A-Service Is Minimal For Now paints a picture for cloud storage adoption, that at first blush, is not encouraging.

He states:

In Forrester's Enterprise And SMB Hardware Survey, North America And Europe, Q3 2009 survey, we asked businesses about their interest in "hosted storage capacity" offerings. Interest was minimal at best. Forty-three percent of all respondents said that they were simply not interested, and another 43% said that they were interested but had no plans to move forward.

While it could be argued that as a cloud storage supplier, I am necessarily bullish about the ultimate prospects, I believe the data is actually quite good and clearly represents what we are experiencing in the marketplace.  Now, Mezeo is engaged with many service providers, as well as the early adopters in the enterprise space as they begin their evaluations.

When I look at enterprise cloud-storage adoption based on Everett Rogers' diffusion curve I see a pretty clear view of the typical market place approach to adoption of disruptive technologies:    

For new, emerging, and potentially disruptive technologies, we should look for what the next practices are, i.e. the practices of the innovators and early adopters. The survey reflects the typical technology adoption cycle and re enforces what we are experiencing in the market place.

11% of companies are taking the plunge - these are the early adopters and innovators.  The early majority (43%) is interested, and watching.  The late majority is not in the game, yet.

So we are on track. And to prove it, let's look at one of these enterprise-level innovators: General Electric.

According to IBM storage expert Tony Pearson, GE has implemented cloud-based backups and archive for GE Corp, NBC Universal and GE Asset Management divisions running at only 32 cents per GB/month, representing a 40-60 percent savings over their previous methods. This includes backups of their external Web sites, archives of their digital and production assets, RMAN backups including development/staging databases. They plan to add out-of-region compliance archive in 2010. They also plan to monetize their intellectual property by offering "CloudStorage Manager" as a software offering for others.

As the industry announcements on Cloud Storage APIs keep coming, the confusion surrounding what they mean keeps growing.

We have the Amazon S3 APIs, Eucalyptus APIs, Rackspace Cloud Files APIs, Mezeo APIs, Nivanix APIs, Simple Cloud API, along with the standards proposed by the Storage Networking Industry Association (SNIA) Cloud Storage Technical Work Group, and more. 

So what should you do or think about all this? What impact do these Cloud Storage APIs have on your decision-making? Just how important are they, and what's next?

Here's some information to aid your understanding of this emerging and important technology.  Let's begin by answering two basic questions: 

What is a Cloud Storage Application Programming Interface (API)?
    
A Cloud Storage Application Programming Interface (API) a method for access to and utilization of a cloud storage system.  The most common of these are REST (REpresentational State Transfer) although there are others, which are based on SOAP (Simple Object Access Protocol).  All of these are associated with establishing requests for service via the Internet. 

What is REST? 
REST is a concept introduced in the doctoral dissertation of Roy Fielding, and is widely recognized as an approach to "quality" scalable API design.  The actual API design and capabilities are very dependent on the actual capabilities of the underlying Cloud Storage System

One of the most important REST capabilities is that it is a "stateless" architecture.  This means that everything needed to complete the request to the storage cloud is contained in the request, so that a session between the requestor and the storage cloud is not required.  Why is this important?  The Internet is highly latent (it has an unpredictable response time and it is generally not particularly fast (when compared to a local area network (lan)).  Once you get a request, there is no guarantee that you can ask a "qualifying question" of the requestor in a reasonable time period.  So, REST is an approach that has very high affinity to the way the Internet works.  Traditional file storage access methods that use NFS (network files system) or CIFS (Common Internet File System) do not work over the Internet, because of latency.

One other thing we should clear up:  Cloud Storage is for files, which some refer to as objects, and others call unstructured data.  Think about the "files" stored on your PC, like pictures, spreadsheets and documents.  These have an extraordinary variability, thus "unstructured".  The other kind of data is "block" or "structured" data.  Think data base data, data that feeds transactional system that require a certain "guaranteed" or low-latency performance.  Cloud Storage is not for this use case.  IDC estimates that approximately 70% of the machine stored data in the world is unstructured, and this is also the fastest growing data type.

So, Cloud Storage is storage for files that is easily accessed via the Internet.  This does not mean you cannot access Cloud Storage on a private network or LAN, which may also provide access to a storage cloud by other approaches, like NFS or CIFS.  It does mean that the primary and preferred access is by a REST API.  (Here are other terms you will see, RESTful, or RESTlike or RESTstyle, which is geekspeak for how closely the API conforms to the REST approach.) 

Today, there are multiple definitions for Cloud Storage, and the one I prefer is "File Storage accessed through Web Services API's over a network".  This represents the key attributes of file storage that is cloud storage, versus other types of file storage.  Other key qualities of a storage cloud are:

• multi-tenant support (use by more than one unrelated user)
• geo location and geo replication, seamless and real time provisioning of accounts
• seamless and real time provisioning of accounts
  
• availability of "practically" unlimited amounts of storage "on-demand"
• "pay for use", which means that your payment is for actual storage used, over some time frame, usually a month. 
  

There are many who are still arguing about what I have defined above, but what I've said is generally accepted by the industry.  If it is a vendor doing the arguing I would suggest you check under their hood, usually you will find that they do not offer whichever of the above features they are trying to argue out of the definition.

Also, traditional storage vendors continue to proclaim the importance of local network access (like NFS, CIFS or ISCSI) for the purpose of Cloud Storage access by applications that today can only access via the older protocols.   This requires that the application making the request be on the same local network (think same data center) as the storage cloud.  Their reason for this view is that they are only just beginning to see application demand for storage cloud access via REST APIs, versus their traditional business model which serves an enterprise user with their own data center. 

This is why Cloud Storage has generally emerged as a service offering in the IT Service Provider  (also know as the WEB Hosting Industry) space first.  In this space, there is no doubting the importance and future of REST API access to storage clouds, it is only viewed as an adoption speed issue.  Note that within the data center, access to storage using an HTTP based protocol is not necessarily any slower than one of the more traditional protocols. API access has been labeled as being a slower form of access over NFS and CIFS. This view is largely due to the fact that it "may" be accessed over the Internet. In most cases, it is the network that adds the latency, not the means of access. Make no mistake, traditional storage vendors see this coming, and they will make offerings available in the near future.

REST APIs are language neutral and therefore can be leveraged, very easily, by developers using any development language they choose. Resources within the system may be acted on through a URL. So, an API is not a "programming language" it is the way a programming language is used to access a storage cloud.  This is part of the basic understanding of APIs that is required to discuss the dreaded "vendor lock in" and upcoming "cloud lock in" discussions and understand the issues that surround these assertions.

REST APIs are also about changing the state of resource through representations of those resources. They are not about calling web service methods in a functional sense. The key differences between different Cloud Storage APIs are the URLs defining the resources and the format of the representations.
 
The Cloud Storage space is very young and everyone has their opinions on how things should be represented and accessed. Efforts are underway by organizations like SNIA, with their Cloud Data Management Interface (CDMI), to standardize both the resource structure and the representations. However, standards are not developed overnight and customers are demanding programmatic access to Cloud Storage now.

Current Cloud Storage vendors have produced a basic set of APIs that are accomplishing fairly similar things, and other APIs that expose the underlying unique functionality of the Cloud Storage platform supplying the storage cloud.  You should expect that, over time, most storage clouds will provide the basic functions in somewhat similar ways, and further that additional advanced functions will be adopted and expected to be in every storage cloud offering. 

Finally, you should look for a taxonomy of APIs, that includes basic file functions, advanced functions, Provisioning APIs, Billing APIs, and Management APIs.  Storage clouds that become successful will offer all these capabilities, to increase the efficiency of their use.



 
Several efforts have been made to simplify the transition between vendors by providing an abstraction layer on top of the vendor's APIs. In this approach, a program library is created, for use in the application that needs cloud storage access, and this API translates (for the given program language) a single API into the API that is specific to a Cloud Storage offering.  So, the application, which is using this library, writes their APIs once, and achieves portability between storage clouds that are supported by this approach.

This approach has been largely programming language specific and may take advantage of the language it was designed for. Good examples of this are jClouds, an open source cloud storage abstraction library written in Java, and Simple Cloud API, a collaboration of vendors including Microsoft, Rackspace, Nirvanix, IBM and Zend which provides a simplified Cloud Storage interface for PHP developers. While extremely useful for developers, these abstractions tend to expose the lowest common denominator relating to Cloud Storage functionality and may omit critical features, for example only providing namespace object access as opposed to ID access.

So, let's discuss lock-in, the term used to express concern that once a vendor has gotten you to exploit their architecture and technology, they will recognize that you are committed to them and cannot easily move away.  As a result, they will then raise their prices and take advantage of your lock in status, keeping their price just below the amount that would encourage conversion away from their technology and towards a more "open" set of capabilities.  Let's look at all the "dreaded" examples that have been surfaced around cloud storage and as a reason to slow it's adoption:

1.    API lock in, which means your interaction with a storage cloud uses the APIs of that storage cloud, and suggests that you cannot easily move to another providers cloud with their own, different APIs.

2.    Vendor lock in, which means that since you are condemned because of your application development activity with specific APIs to use only a cloud from a specific supplier.

3.    Device lock in, meaning that you developed a cloud storage based program utilizing the APIs of that specific cloud, for a specific device (generally a PDA) that has specific functionality.  This is double lock in, both the device programming methodology and the API selection.

4.    Browser lock in, meaning that programming to specific APIs can also be rendered unique based on the Web browser that is selected.

5.    Programming language lock in, which means that you have written the APIs in a language like Python, or JAVA, or .NET, or whatever.

6.    API wrapper lock in, which means that you incorporated libraries into your application that allows your application to write generic APIs, which are then translated by these APIs to the correct API for the desired storage cloud (this is what Simple Cloud API is).

So, as you can see here, utilizing cloud storage could ultimately have you locked in on at least six levels! 

With this much opportunity for vendor abuse, why are developers rushing to write Web based applications that utilize cloud storage services via API access?  Are they simply uncontrolled, unthinking rebels who will shortly learn the error of their ways?  Have they made a fatal error?  Or do they know something you don't?

First, learn about Cloud Storage APIs.  What they do is make storage programmable, and they abstract storage from the application.  They offer advanced functionality (the programmable word) that makes it faster and easier to write the applications that are scalable versus the traditional storage access approaches.  When you add these two capabilities to the storage cloud offering of low cost, availability in multiple locations, seamless provisioning, ease of adding additional storage, and the pay for use model, the case for the cloud has become compelling.

Where are we seeing early adoption:  at service providers, because they host Web based applications and SaaS (usually Web based) applications, and this is where the developers who recognize the opportunity are focused. 

What is coming: the introduction of this technology into the enterprise, complete with the adoption of the RESTful API technology.  This will ultimately lead to a level of cooperation between service providers and the enterprise that has long been predicted.  Enterprises will move to an IT modeled on an OPEX model, and expect their applications to be provisioned and interacting with service provider clouds, via APIs.  IT Service Providers are racing to build the clouds to provide for this emerging business opportunity.

So, what about the lock in mentioned above.  Sit down with your developer, they will show you why they don't feel "locked in".  They will show you that you can quickly recraft your current APIs, in the programming language of your choice, to utilize the new APIs of the desired cloud.  For this reason, Simple Cloud API will likely be a short term measure, which precedes base case APIs that are extremely similar, and goes through a market led process to identify "best practice" APIs for both base case and advanced function, as well as all the other API led capabilities as mentioned above.  In short, vendor lock in is not the problem for this technology that it has been for others.  Also, the ingenuity and resourcefulness of all the suppliers, standards groups, and market adoption scenarios will continue to mute your ability to be lock in free. 

Your real challenge is not lock -in, but rather how to adopt this new set of capabilities, and solve problems and create opportunities with your IT solutions as rapidly as possible.  Standing on the sidelines waiting for this one to resolve will keep you out of a great opportunity, because we still have several meaningful years of rapid change associated with this technology adoption cycle. 

BMC Software's announcement that it has entered into a definitive agreement to acquire privately-held Tideway Systems Limited (Tideway), a provider of IT discovery solutions, can be interpreted as an extension of BMC's commitment to cloud-computing.

Here are two important statements in the press-release:

1. BMC will deliver unmatched visibility into the data center and rapidly reduce the time and resources required to model, manage and maintain applications and services. This is critical for IT organizations that are transitioning applications and services to cloud computing environments.

2. With the acquisition of Tideway, BMC adds the industry's leading application discovery and dependency mapping capabilities to manage and maintain complex data center environments including distributed, virtual and mainframe IT platforms and further extends its leadership in business service management.

So let's see what this could mean. 

It gives BMC the critical capability to discover and map complex data environments which are both physical and cloud-based.

This acquisition also puts BMC in a strong position to build a cloud-based CMDB.  While that might not happen right away, it is clearly now a key capability if they decide to pursue it. It also allows them to build a federated CMDB - and manage the hybrid cloud - private and public - across enterprise and hosted data centers. 

The evolution towards cloud-based ITIL continues.

We've discussed ITIL and Cloud Computing and the role of trust as a differentiator for service providers. Yes, we see the evidence that IT Hosting companies and managed service providers are closer to their customers and we see that their differentiation is their commitment to serving the customer.

But Amazon, Google, and Microsoft aren't going away. As they pressure customers to make the switch to the cloud, traditional service providers must find new ways to compete. Step one, of course, is providing alternatives - cloud services, like storage for example.  Step two is to highlight their customer commitment - the relationships they already have and defend this "advantage" by becoming even more responsive. 

So how do you build trust? According to Stephen Covey Jr. trust is built through behavior. His work has identified 13 behaviors which build trust:

1. Talk Straight
2. Demonstrate Respect
3. Create Transparency
4. Right Wrongs
5. Show Loyalty
6. Deliver Results
7. Get Better
8. Confront Reality
9. Clarify Expectations
10. Practice Accountability
11. Listen First
12. Keep Commitments
13. Extend Trust

But how do these behaviors translate to a cloud service delivery model? 

To answer this question, I dug up an old model for assessing service quality - SERVQUAL -  which was introduced to the world of service and retail back in 1988 (those were the days before ITIL).  SERVQUAL has its share of detractors, but even recent research reminds us that it is still a useful model.  In particular, I'm interested in how it can be used to help service providers improve and extend their intangible advantages over the more impersonal big shops.

Over the years, the SERVQUAL instrument has been a popular methodology used to measure consumers' perceptions of service quality. Its five generic dimensions or factors are still valid:

(1) Tangibles: physical facilities, equipment and appearance of personnel.
(2) Reliability: the ability to perform the promised service dependably and accurately.
(3) Responsiveness: willingness to help customers and provide prompt service.
(4) Assurance: includes competence, courtesy, credibility and security; the knowledge and courtesy of employees and their ability to inspire trust and confidence.
(5) Empathy: includes access, communication, understanding the customer; caring and
individualized attention that the firm provides to its customers.

None of these dimensions will change in the cloud, with the exception that some of these dimensions are now virtual and must be proven online (customer support, for example) or through superior automation of work processes.

Let's also analyze the SERVQUAL "gap model," as it was called, and see how it applies to service delivery in the cloud:

Let's look at the meaning of each "gap" - the possible breakdown areas in service delivery:

Gap 1: Customers' expectations versus management perceptions: caused by the lack of a marketing research orientation, inadequate upward communication and too many layers of management.

Gap 2: Management perceptions versus service specifications: caused by an inadequate commitment to service quality, a perception of unfeasibility, inadequate task standardization and an absence of goal setting.

Gap 3: Service specifications versus service delivery: caused by role ambiguity and conflict, poor employee-job fit and poor technology-job fit, inappropriate supervisory control systems, lack of perceived control and lack of teamwork.

Gap 4: Service delivery versus external communication: caused by inadequate horizontal communications and propensity to over-promise.

Gap 5: The discrepancy between customer expectations and their perceptions of the service delivered: caused by the influences exerted from the customer side and the shortfalls (gaps) on the part of the service provider. In this case, customer expectations are influenced by the extent of personal needs, word of mouth recommendation and past service experiences.

Gap 6: The discrepancy between customer expectations and employees' perceptions: caused by the differences in the understanding of customer expectations by front-line service providers.

Gap 7: The discrepancy between employee's perceptions and management perceptions: caused by the differences in the understanding of customer expectations between managers and service providers.

Three of these gaps are directly connected external customers: Gap 1, Gap 5 and Gap 6.  Service providers will find their optimal "trust-building" opportunities here.  Apply Covey's 13 behaviors to each one of these gaps to build on your commitment to your customers.

Amazon, Google, and Microsoft aren't building a high-touch responsive model for their cloud services. But you, the service-provider, already have a high-touch relationship. Your cloud-based SLAs must reflect this advantage. The security issue is just a small part of this reality.

Service providers who dedicate themselves to closing the gaps will succeed in this new world.

The quest for quality service didn't start yesterday. I highly recommend that service providers give Delivering quality service: balancing customer perceptions and expectations by Valarie A. Zeithaml, A. Parasuraman, Leonard L. Berry, a second look.

With all due respect to Cory Doctorow, he's wrong.

In his article Not every cloud has a silver lining (Guardian) he states:

There's something you won't see mentioned by too many advocates of cloud computing - the main attraction is making money from you.

And I suppose all the vendors of physical storage, the hard drives, etc., are interested in your spiritual well being!

Here's the heart of Doctorow's beef with cloud computing:

Rather than buying a hard-drive once and paying nothing - apart from the electricity bill - to run it, you can buy cloud storage and pay for those sectors every month. Rather than buying a high-powered CPU and computing on that, you can move your computing needs to the cloud and pay for every cycle you eat.

The point he misses is that cloud computing exists because it answers a real need.

We aren't prohibiting you from buying physical hard drives, I assure you. In fact, we think physical and cloud storage will work together, complementing each other. It's not one or the other.

Our focus is to provide specific services which deliver quantifiable value for both individual consumers and business users. As we mentioned earlier, the basic promise of cloud computing: instant access to your data anytime, anywhere, on any device, is already a reality. It's all about convenience, ease-of-use, cost, and of course, value-delivered. The cloud is a disruptive innovation.

Let's review the benefits of cloud computing:

For Businesses
In addition to cloud storage, the cloud brings game-changing pricing and service capabilities to disaster recovery, fault tolerance, geographic redundancy, and other solutions that have been prohibitively expensive to everyone except for the largest organizations in the world. Here are some specific drivers of business value:

Financial Benefits: The very nature of "pay per use" makes large upfront financial outlays a thing of the past. So your CFO won't bug you about capital expenditures.  You'll simply have to pay a monthly fee for renting the data center and the services you choose. And yes, that's a monthly operational cost.

Better use of Human Resources: Your IT people don't have to spend time doing repetitive tasks like provisioning and  setting passwords.  That will be done in an automated way by your service provider.

Agile Provisioning: "Time to value" is greatly accelerated using the cloud.  Softlayer, for example, allows lets you deploy on-demand computing instances running enterprise-grade and open source operating systems in as few as five minutes. Can your IT department do that today?

Scalability and Flexibility: The cloud provides customers with the capability to start small and grow with demand, in real-time. Cloud "burstability" allows for rapid scaling to meet demand caused by usage spikes.

Leaner and Greener Infrastructure: The cloud allows companies to outsource their IT infrastructure, and maximize utilization of the computing power of their service provider. This makes for a leaner and greener IT infrastructure for all.

Service Oriented Architecture:  Cloud Storage accessed via RESTful Web Services APIs provides new capabilities for developers.  For the first time, an abstracted, services rich storage layer is a true SOA implementation.

For Individuals
I already hear commercials on TV:

"Are you tired of lugging your laptop everywhere? Are you tired of transferring your files every time you switch devices? Are your running out of space for your endless downloads of videos, songs, and movies? Do you want to access your files anytime, anywhere, on any device? Try cloud computing, and your life will never be the same."

The flexibility cloud computing offers individuals is unparalleled. Again, it is the user-experience which will determine cloud use by the consumer.  And as we see more and more personal files (videos, music, photographs) explode, we'll see a bigger and bigger role for cloud computing.

A final statement. We do want to make money. Like everyone else in the market, we're going to have to deliver value to earn your trust and dollars. And if you find that you get more value from buying your own physical storage or owning and operating your own datacenter, go ahead.  We're betting we can show you a better way, a way that complements your local storage.

When we posted our ParaScale Fact Check blog post earlier, it was specifically oriented to a situation where there were specific, unsupported claims by ParaScale. 

A fact check should be based on facts, not marketing claims or opinions.

The claim that ParaScale offers Web services APIs, among other claims, initiated our response.  Now, ParaScale not only does not have them, but claims that you should not use them, unless and until there are S3 APIs.  Furthermore, they have now initiated a Mezeo fact check.  Except they are making marketing claims, they do not, nor can they offer "facts" that are claims by Mezeo that are not in fact true.

Here are their claims and our responses:

Mezeo does not give you the storage economics to compete with Amazon.

Mezeo response:  ask our many customer references in the hosting industry, they are competing and winning against Amazon.  By the way, we came from the hosting industry, and we know how much it costs to host storage. They don't state a fact, this is their opinion, and it is unsupported by facts.

Mezeo is not adaptable to your customer's data access needs of standard protocols.

Mezeo response:  We have offered WebDAV support since Q1 of this year, our Windows Native client has been available since we launched our company, as well as REST APIs.  CIFS and NFS are easily with the scope of our capabilities, and we will be advising our customers and prospects of our plans in this area. It is unclear to me that this demonstrates a "lack of adaptability".

It is simply proprietary REST API with custom clients. 
Mezeo response:  This is not a fact.  In fact, we now have to fact check ParaScale again.  The Mezeo platform offers significant, extensible services that go beyond those on competitive public cloud offerings.  These include secure sharing, public sharing, collaboration, tagging, notifications, permissions, and numerous other services that make Mezeo a desired platform for Web developers.  Our SPML based provisioning integration; APIs for billing and bandwidth utilization, and Acceptable Use Management further differentiate the offering.  Many consider our ability to accommodate both industry standard file systems and clustered file systems (like ParaScale, for example) for the storage target of a Mezeo based cloud as an advantage.  You can mix and match storage offerings in a Mezeo cloud to achieve different offerings of price, performance and availability, all on a single infrastructure.  Finally, access, via APIs, WebDAV and our white label clients are a critical differentiator, and we deliver all of this today!

PROPRIETARY REST API:  With an understanding of REST and APIs, you understand that this is not the critical issue.  The critical issue is that Web developers want to develop against platforms that offer REST APIs.  The minimal changes required on the APIs to move from one cloud to another has never been raised as an issue of significance, versus the services and features of specific clouds.  

To this very point, Lydia Leong of Gartner, in a recent blog post, asks the question:  Are Multiple Cloud APIs Bad?

"... I believe that it's too early in the market to seek commoditization. Universal commitment to a particular API at this point clamps standardized functionality within a least-common-denominator range, and it restricts the implementation possibilities, to the detriment of innovation. As long as there is rapid innovation and the market continues to offer a slew of new features -- something which I anticipate will continue at least through the end of 2011 and likely beyond -- standardization is going to be of highly limited benefit."

Mezeo is also engaged with the SNIA Cloud Storage Technical Working Group (I talk about the group here) to work with the industry to sort out the requirements for APIs that will allow for transportability, and there are other vendors that build wrappers that provide for easy portability amongst APIs.  

Finally, here's an opinion: if I were calling myself cloud storage for the IT hosting industry, and I did not offer REST Web Services APIs, I would likely argue that they are not needed, or at least that they are the wrong ones if they are not like S3.  When I am with my colleagues in the Web Hosting Industry, they find this argument against APIs amusing to say the least, and that's a fact you'll have to accept my opinion on! 

My last post on REST generated some attention.  Since it is an important topic, I wanted to share some additional links for those who are trying to improve their understanding of REST:

- Stefan Tilkov's Intro to REST presentation and When is an API RESTful?
- Dare Obasanjo's Explaining REST to Damien Katz
- Paul Precod's Second Generation Web Services, REST and the Real World, SOAP, REST and Interoperability
- Tim Bray's The Sun Cloud and REST, as in Take It Easy
- More stuff from Roger Costello
- Ryan Tomayko's How I Explained REST to My Wife
- Roy T. Fielding's Dissertation: Chapter 5

REST reflects the architecture of the Web.  One of its most important characteristics (and there are many) is that it is "stateless".  That means that a REST style command from a requestor to a responder has everything in it the responder needs to know in order to take an action.  No further handshaking is required.  Very efficient and Web like.  Since it is "stateless" it works very well with a "stateless" server architecture, in order to achieve Web scale.  In this way many clients can interact with many servers against a large pool of objects to accomplish many interactions, well, you get the point, Web scale.  That's one reason we use RESTful Web Services API commands to access the Mezeo Cloud Storage Platform servers, which are also stateless architectures, implemented via Linux.  Web scale, one of the requirements of cloud.

REST is also highly efficient, so that interactions between requestors and responders via a network can be done with a minimum of overhead.  If you ever download a 500 gigabyte file via a cable modem based internet connection, you will likely appreciate any efficiency that can be achieved.  Speaking of efficiency, REST also accommodates caching, at both the client and the server, which can dramatically improve the efficiency of your interactions with the "object" (an object could be, for example, a file, like a picture, or a pdf). 

Developers who utilize RESTful Web Services APIs to create applications appreciate the efficiency and capability of the APIs.  Expect, over time, to see more commonality among base case APIs and other APIs that expose storage cloud specific advanced services.  For example, Mezeo based clouds offer a secure share, collaboration, notifications, and nested files and folders, for example.  Some clouds may have such a unique set of APIs that others will create translators (wrappers, for the IT guys in the audience) for them, and we will continue to make headway on openness.

RESTful APIs are a critical part of new application development, and represent the delivery of Service Oriented Architecture infrastructure for storage.  Storage is now programmable.  And I bet you thought cloud storage was just a utility computing model applied to storage, for scalability and pay for use.  Both are necessary, but not sufficient for cloud storage.

Most of us in the Cloud Storage industry strongly believe that a key capability of a storage cloud is the REST style Web Services API.  Many of the most popular storage cloud services include or exclusively use REST, including SoftLayer's CloudLayer, Amazon S3, Nirvanix SDN and Rackspace Cloud Files.

Other access methods that are most often associated with Cloud Storage access include cifs, NFS and WebDAV,  NFS and cifs are not particularly usable via an Internet connection and therefore useless in public cloud offerings.  While WebDAV is very useful for an Internet connection, it is similarly limited, in that all three protocols support traditional file operations like store and retrieve, versus the robust set of services that Web Services APIs can deliver.

Amazon introduced S3 with REST style API access only.  Cloud Files from Rackspace also utilizes REST style APIs. Nirvanix SDN utilizes both REST and SOAP APIs.  Mezeo offers REST APIs.   Various groups are also engaging on the issue of what representations of REST should be common across cloud offerings.  The SNIA, (the Storage Networking Industry Association) has assembled a technical Cloud Storage working group for further refinement of REST style implementations for several purposes.

So, what is the purpose of the other, older access protocols?  When deployed with API based Cloud Storage offerings, they provide additional options for legacy applications to expose their objects (files) to the advanced services of the Cloud, and further make these files available to the new API based applications.

Why all the excitement about RESTful APIs?  Cloud Storage is more than a utility business model applied to traditional storage. It is storage that is accessed via Web Services APIs, over a network. Developers utilize these APIs because they are easy to use and they expose significant capabilities and services from the storage cloud, far beyond scalability, performance and pay for use.  As I have said before, scalability and pay for use are as much a business decision about how you sell storage, as they are a technology implementation of storage.  If there were no need for the API based services, the older and well used protocols would persevere.  This is clearly not the case.

I have carefully avoided the use of the word "standard" associated with the REST  style or architecture.  Here is an interesting view on that topic from Roger Costello:

REST is not a standard. You will not see the W3C putting out a REST specification. You will not see IBM or Microsoft or Sun selling a REST developer's toolkit. Why? Because REST is just an architectural style. You can't bottle up that style. You can only understand it, and design your Web services in that style. (Analogous to the client-server architectural style. There is no client-server standard.)

Cloud storage service providers understand that a new storage infrastructure has emerged, as an embodiment of Service Oriented Architecture, with a set of services that are delivered via APIs.  Scalability, performance and pay for use are attributes of traditional and cloud storage solutions, but Web services APIs are the distinguishing feature of cloud storage.  Accessing storage via Web services APIs represents a revolutionary change in storage, not a simple generational change. REST APIs are the embodiment of the way the Web works and are necessary to expose storage as a "storage cloud"!

What should you expect in relation to these API issues?

Most of us expect that over time, there will be a base set of specifications that are jointly developed within the marketplace and by various industry organization, resulting in a well accepted set of representations for REST style Web Services APIs.  At a panel at Hosting Con earlier this week, both Emil Seyegh of Rackspace and myself confirmed that when the industry gets further clarity on this specification, it will be relatively easy to introduce those APIs into our offerings, and that they can co exist with our current APIs.

REST is a topic that you will continue hearing more about.  You'll most certainly hear more about it from me in future posts.

Articles and blog posts associated with security and cloud computing are a daily occurrence, unless some well-publicized breach occurs in the cloud.  At that point the number of commentaries and discussions will increase exponentially, and then, over the following week, return to normal frequency.  I decided to focus on security as it relates to cloud storage, to see if something really new and different is occurring, and if overall changes need to be contemplated, as it comes to classic data security activities.  When I focused in this way, I quickly discovered that not much has changed, and security of data in the cloud is highly dependent on the same precautions and understandings as security of your data in a private data center.

In this recent article, it was suggested that files of one owner residing on a physical device with the files of others could somehow result in unauthorized access. It could, and the answer to this and a myriad of concerns fits within traditional approaches and understandings of security.   For example, Mezeo encrypts all files prior to storage.  So, even if you somehow got access to another's file, it would do you no good.  My point is that the cloud introduces a few additional complications, but it is not a problem that the current level of speculation seems to portray it as.  An extension to typical security practices, diligence, effective execution and audit of your current practices is what is required.

With this underlying theme, we look at how best we can ensure the security of the data in the cloud. Let's look at five areas that you should consider in regards to storing data in the cloud.

1. Physical Security: First, understand some things about the data center that is hosting the cloud where your data is stored:

• Is the data center physically secure? 
  
• What about it's ability to withstand power outages? 
  
• For how long? 
  
• Are there multiple, independent (on different grids) electrical power paths? 
  
• How are communications facilities enabled and where does the fiber enter the facility?
  
• How many communications providers have a POP (point of presence) at the facility? 
  
• How is the data center certified (SAS 70 Type II)?  

World class data centers are expensive, and they are also well understood.  What is the tier rating of the data center? (Tier IV is best). Make sure you do business with a cloud storage service provider who makes use of such facilities.

2. Data encryption: Encryption is a key technology for data security.  Understand data in motion and data at rest encryption.  Remember, security can range from simple (easy to manage, low cost and quite frankly, not very secure) all the way to highly secure (very complex, expensive to manage, and quite limiting in terms of access).  You and the provider of your Cloud Storage solution have many decisions and options to consider.  For example, do the Web services APIs that you use to access the cloud, either programmatically, or with clients written to those APIs, provide SSL encryption for access, this is generally considered to be a standard.  Once the object arrives at the cloud, it is decrypted, and stored.  Is there an option to encrypt it prior to storing?  Do you want to worry about encryption before you upload the file for cloud storage or do you prefer that the cloud storage service  automatically do it for you? These are options, understand your cloud storage solution and make your decisions based on desired levels of security.

3. Access Controls: Authentication and identity management is more important than ever.  And, it is not really all that different.  What level of enforcement of password strength and change frequency does the service provider invoke? What is the recovery methodology for password and account name?  How are passwords delivered to users upon a change?  What about logs and the ability to audit access?  This is not all that different from how you secure your internal systems and data, and it works the same way, if you use strong passwords, changed frequently, with typical IT security processes, you will protect that element of access.

4. Service Level Agreements (SLA): What kind of service commitment is your provider willing to offer you? Are they going to be up 99.9% of the time or 99.99% of the time? And how does that difference impact your ability to conduct your business? What is the backup strategy that your cloud provider uses, and does it include alternative site replication?  Do they use one at all, or is backup something you have to provide for?  Is there any SLA associated with backup, archive, or preservation of data.  If your account becomes inactive (say you don't pay your bill), do they keep your data?  For how long?  Once again, realize that there are different services, with different features, at different costs, and you get what you pay for.

5. Trusted Service Provider: The trusted service provider is a critical link.  Unlike your in-house IT department, you are now putting your trust in a 3rd party.  You must feel confident that they will do what they say they will do.  Can they demonstrate that the safeguards they claim are indeed delivered?  What is their record?  Do you have a successful business relationship with them already, and if not, do you know of others who do?  Remember, are they in business to serve business, or is it simply another service that they offer, focused first on cost per gigabyte, versus service and support.  This is where many IT service providers have made their living, providing world class service and support, along with effective, efficient, low cost infrastructure.

So what has really changed? More than anything it is a heightened awareness of the need for security.  Security is delivered on a sliding scale, and the result you achieve is based on well understood principles.

Of equal interest are the legal implications associated with hosting your data at service providers.  You can extend the notion of security to access by various government entities, depending on where your data is hosted.  While the focus of this post has been associated with preventing unauthorized access, this is yet another consideration associated with where your data is stored. 

Sure, cloud storage requires that you add some additional and/or different considerations to your evaluation and monitoring process, like understanding your service provider versus your own IT department.  The IT Service Providers know and understand the importance of this. Most will step up and ensure that they deliver excellent service to you and become your long term Trusted Partners. Those that don't will fall by the wayside.

The concept of Service Oriented Architecture (SOA) has been around for a long time, and some people believe it has not fulfilled its promise.  To the contrary, SOA is well on its way to fulfilling its promise and the rise of cloud computing infrastructure is an important step in this process.  In fact, cloud computing is already beginning to unleash the potential of SOA and much more is on the way.

David Linthicum, Editor-in-Chief of Sys-Con's Virtualization Journal, has it mostly right.  He says:

Let's get this straight: SOA is an architectural pattern, simply put the ability to create an architecture around the notion of many services that are bound together to create and re-create business solutions. Cloud computing is a set of enabling technologies as a potential target platform or technological approach for that architecture...One is the way of doing something, while the other is a potential outcome. SOA doesn't go away. It's not replaced. It's architecture. Cloud computing is a potential outcome of that architecture, thus cloud computing needs architecture, and vice versa.

David's rant was an argument against complaints by certain industry pundits that cloud computing is just an over-hyped reincarnation of SOA. 

I agree with David as far as he goes, but he can take his point further. He is correct to call SOA an architectural pattern.  He is correct to call cloud computing a "target platform."  But the real news in this story is that a target platform is exactly what SOA has been lacking all these years.  All applications must run somewhere; applications need infrastructure. 

SOA is an application architecture; cloud computing is an infrastructure architecture.  It's that simple.  This marriage is long overdue.

SOA applications inherently call upon Web services to request resources, so to run properly SOA applications need infrastructure architecture that lends itself SOA.  Cloud processing (dynamic allocation of CPU resources) and cloud storage (Web services API access to storage resources) infrastructure is the most natural target platform for SOA apps because cloud infrastructure is designed to scale in the way implied by the SOA approach to application architecture. 

Until recently, where could a SOA app find a venue to stretch its legs?  There weren't many options until the earliest cloud computing service providers deployed large-scale cloud infrastructure.  The SOA world owes Amazon and Rackspace a big thanks for making the infrastructure investment required to launch S3, EC2, CloudSites, CloudFiles, and CloudServers.  As the rest of the Hosting market--and broader IT service provider industry--follows suit, SOA applications will flourish.

So David, you're right.  Not only do cloud computing and SOA "need each other," but together they will ultimately justify all the hype.