Wednesday, September 22, 2010

The cloud popularity contest

Zenoss has released a survey about business interest in Cloud Computing. Take it with a grain of salt, as the survey only consisted of 200 or so individuals. The most interesting part is that Amazon still holds a strong lead in cloud, but Google AppEngine is very quickly catching up:


Is the cloud insecure?


Cloud security is on the top of every CIO's mind. Apparently some people even consider that cloud risks outweigh cloud benefits.

Unfortunately, an overzealous approach to cloud security can lead to arguments that detract from the real issues, with little to no analysis of the specific problems at hand.

Below is a list of cloud security issues that I believe affect large organizations:

  • Separation of duties Your existing company probably has separate application, networking and platform teams. The cloud may force a consolidation of these user groups. For example, in many companies the EC2 administrators are application programmers, have access to Security Groups (firewall) and can also spin up and take down virtual servers.
  • Home access to your servers Corporate environments are usually administered on-premise or through a VPN with two-factor authentication. Strict access controls are usually forgotten for the cloud, allowing administrators to access your cloud's control panel from home and make changes as they see fit. Note further that cloud access keys/accounts may remain available to people who leave or get fired from your company, making home access an even bigger concern...
  • Difficulty in validating security Corporation are used to stringent access and audit controls for on-premise services, but maintaining and validating what's happening in the cloud can become a secondary concern. This can lead some companies to lose track of the exact security posture of their cloud environments.
  • Appliances and specialized tools do not support the cloud Specialized tools may not be able to go into the cloud. For example, you may have Network Intrusion Detection appliances sitting in front of on-premise servers, and you will not be able to move such specialized boxes into the cloud. A move to Virtual Appliances may make this less of an issue for future cloud deployments.
  • Legislation and Regulations Cross border issues are a big challenge in the cloud. Privacy concerns may forbid certain user data from leaving your country, while foreign legislation may become an unneeded new challenge for your business. For example, a European business running systems on American soil may open themselves up to Patriot Act regulations.
  • Organizational processes Who has access to the cloud and what can they do? Can someone spin up an Extra Large machine and install their own software? (LabSlice adds policy management to stop this from happening). How do you backup and restore data? Will you start replicating processes within your company simply because you've got a separate cloud infrastructure? Many companies are simply not familiar enough with the cloud to create the processes necessary for secure cloud operations.
  • Auditing challenges Any auditing activities that you normally undertake may be complicated if data is in the cloud. A good example is PCI -- Can you actually prove that CC data is always within your control, even if it's hosted outside of your environment somewhere in the cloud ether?
  • Public/private connectivity is a challenge Do you ever need to mix data between your public and private environments? It can become a challenge to send data between these two environments, and to do so securely. New technologies for cloud impedance matching may help.
  • Monitoring and logging You will likely have central systems monitoring your internal environment and collecting logs from your servers. Will you be able to achieve those same monitoring and log collection activities if you run servers off-premise?
  • Penetration testing Some companies run periodic penetration testing activities directly on public infrastructure. Cloud environments may not be as amenable to 'hacking' type activities from taking place on cloud infrastructure that they provide.



    Tuesday, September 21, 2010

    The wispy cloud

    Cloud computing is the latest IT trend. Conferences are promoting it, vendors are pushing it and CTOs are buying it. Amazon EC2, Google App Engine and Microsoft Azure are the big technologies dominating it. And Gartner identifies it in their 10 Strategic Technologies for 2010. But what is cloud computing?

    Spend time with vendors and you'll quickly find that the definition of "cloud" is whatever the customer wants to hear. Last year's anti-virus is this year's cloud anti-virus. Last year's FTP is this year's FTP in the cloud. Cloud seems to be the ultimate Rorschach Test, both in the real world and the IT world.

    So as a new startup dealing with cloud computing, I feel that I must somehow define what cloud computing is and what it can offer. I believe that the cloud can be most concisely defined as a self-service environment for the immediate provisioning of platforms and applications, with billing being based on granular usage consumption metrics. It's very similar to your usage of electrical and telephony services, with per-minute billing and a service that "simply works".

    Amazon EC2 provides a great example of what cloud computing can be. They deliver a self-service application that enables hourly rental of server time, with billing that is based solely on the CPU power and bandwidth consumed by the client. If you wish, it's possible to lease a unix machine for a single hour, turn it off, and get billed by Amazon a measly 3 cents for the service!

    And our new startup... LabSlice extends the Amazon EC2 cloud to create an environment for IT and Sales Engineers to distribute and share Virtual Demos, Evaluations and POCs of their thick and thin client applications. We use the Amazon EC2 on-demand servers to host your demos in the cloud, adding workflows that enable you to easily share demo machines with your peers, business partners and prospective customers.