Cloud Feed

Consuming the Enterprise

In which the writer continues his work as a part-time, volunteer DJ at the cloud computing rave (do kids still rave nowadays, or is it called something else?)…

Let’s slay another dying beast that still has too much life in rhetorical circles:

 

“The cloud is fine for consumer stuff, but not robust enough for the enterprise.”

 

Counterexamples:

- World of Warcraft runs a million concurrent users on occasion. How many enterprise systems can handle a million concurrent users, while continuously upgrading, while running an economy larger than that of many countries, while under constant attack by organized crime? Oh, what cheap, consumer grade technology!

- The newly launched OnLive thin client gaming system promises to provide high def, real-time video across the Internet at a time when enterprises are struggling to provide local real-time video and thin client UIs with hardware-intensive in-house solutions. I want this technology at the office. I could use it today.

- My sole interaction with my bank is via the Internet. I hear tell that those financial services types know a thing or two about enterprise IT.

- Consumer shops like Amazon provide such a volume of service to consumers that they can sell cutting edge enterprise computing tools like EC2 to enterprises as mere excess capacity;

 

I like to say that a new generation is growing up on consumer cloud technologies, such that when they enter the enterprise world a decade or two from now and eventually take command of it (embrace and extend?), they’ll warm up to cloud services just fine. 

But I doubt we’ll have to wait that long.

Nobody Ever Got Fired For Buying Amazon

Short Version

1. Those who point to serious information security issues with cloud computing are on average correct;
2. There are other flavors of business risk which work on average in the cloud’s favor, and the past history and current state of Cloud Computing strongly suggests that this technology is fast becoming a foundational enterprise tool;
3. Re a particular adoptee’s business risk, the devil is in the details, rather than in Industry Best Practice and averages.

Novella Version

FIll in the blank - “______________ is an enterprise fad/hype/niche because of security, audit, availabilty, and other enterprise risk concerns”:

1. Unix
2. TCP/IP
3. Personal Computers
4. Windows
5. Java
6. Linux
7. Open Source
8. Managed Security Services
9. VOIP

Over and over again in enterprise IT, conservative voices cry “Nay! Too risky!”, and a year or five later, the cry becomes “why would anyone do it the old way?!” and absolutely no one will be able to point to the exact moment when we went from 0 to 1. I’ve personally suffered thru this for items 1, 2, 4, 5, 6, 7, 8 and now for VOIP, SAAS and Cloud Computing.

I’ve seen the process take years, and I’ve even seen it compacted into 6 months. I vividly recall having my co-worker, an Ernst and Young senior manager, tell me over lunch at the Latin House in downtown Miami in 1997, “You know, you keep talking about this Internet thing. I think it might be big one day, but it’ll be in 20 years or so.” He was sitting directly across from me as I enjoyed the Pollo Milanesa with the fried plantains, black beans and rice and an ice tea. 6 months later Doug had transferred out of the financial audit IT general controls team to the nascent e-commerce practice to serve as their lead ecommerce guru. For my part, I was already in the Internet Security group, and I knew as simple fact that only a foolish company would outsource its firewalls. Two yeas later I left Ernst and Young to - you guessed it - build outsourced firewalls for thousands of customers of Exodus Communications. Exodus peaked at a $30 billion market cap by prying enterprise IT services (46 data centers worth) out of the hands of companies that were in the habit of saying they’d never let go of such things. Exodus is gone, but the world it helped create stands. Nowadays, auditors tend not to blink when you tell them that your firewalls, and most of the rest of your security, are run by some vague group of people in other corporations in other parts of the globe. There perhaps should be more blinking, but there tends not to be, except when something melts.

Of course, there are fads and fading hypefests amidst these amber waves of technology disruption, but given:

• the sheer volume of VC money, startups, enterprise adoption and enterprise interest in the cloud;
• the similiarities of the current hype to past waves of data center consolidation via outsourcing;
• the steady cycles of virtualizing lower layers of technology, going back at least as far as the days when the old guard cried foul that anyone would be foolish enough to program in something so wasteful as assembly language,

I’m beginning to see cloud adoption as fait accompli.

In the olden days, the saying was “Nobody ever got fired for buying IBM.” Conservative enterprise types bought IBM when they didn’t know what else to do, and it usually worked well enough. That gave way to the company that disrupted IBM, and many of us have seen companies buy Microsoft products simply because MSFT has been the dominant player. A new round of disruption is happening, and some time in the next decade, this whole conversation will seem foolish, and conservative enterprise types will likely hold dearly to what is currently viewed as a foolish fad.

As someone said more succinctly on the Google Cloud Computing mailing list yesterday:

‘I believe that within 10 years we will look back and say, “can you believe that companies
used to have to build their own data center.”‘

It’s highly probable that cloud computing, and adjuncts like SAAS and PAAS, will steadily become The New Way of Doing Things for a large segment of enterprise IT. And when disruption and adoption spirals out and up in steadily broader circles, the cold fact is auditors and security types often have less power to guardrail business decisions. That’s ironic, since enterprise risk tends to be rising during such disruptive times, until the new technologies mature. If you’re in enterprise risk management, your mission is to not let you and your company become roadkill during the latest wave of technology disruption.

An analogy - if you have a lot of experience with ocean swimming or surfing, you’ll know that when you get caught in a riptide, you don’t fight the current. Rather, you go with it, because you’ll probably come out perfectly fine a quarter mile down the beach. Now, I’m trying to make a point about IT, not swimming, so the analogy proves nothing, but it’s perhaps worth a thousand words.

If you fight the riptide, your odds of drowning go up significantly. If you go with the current, your odds are best, and quite good, but you could still get really unlucky and get dragged into a nasty little coral reef.

As someone whose day job is to manage corporate risk, my role has become a notch more difficult in the near and mid terms because of the disruption of cloud and SAAS. But saying “this shouldn’t happen if you view it only in terms of information security risk” is often - on average - orthogonal to “will it happen?” That’s because there are multiple axes of risk. Consider options of:

1. spend $400,000 capex on a new in-house replacement for that aging integration server over in the Widgets Department, which causes integrity issues upstream in a core IT system, and it’ll take you 18 months to install, during which time you’ll have to live with the integrity risk;
2. spend $280,000 opex on an external replacement that can be rolled out in 4 months, albeit with 20% fewer non-showstopper security features?

Which version is better for the business? Which version is better for the business’ security?

Businesses have multiple risks to manage, and moreso nowadays if you’ve seen the economic news. If you have to convince the decision makers that A Bad Thing Might Happen If They Don’t Listen To You, you’re going to have to get very specific and work within their risk framework, rather than pull out the usual enterprise suspects. Otherwise, you’ll lose your audience.

Right or wrong, the drive towards the cloud is still happening. The business drivers are too strong on average, and business executives have a lot of other risks to manage right now, at a time when the whole world’s economic projections have dropped by, oh, depending on who you read, about a third.

For enterprise decision makers, meaningful security risk discussions need to boil down to:

1) business-specific malign circumstances

2) with reasonably specific probabilities, and

3) specific corresponding controls provided by vendors and IT, and

4) a corresponding set of risk choices for the business.

This is hard to do even for good security teams in supportive environments. Meanwhile, the business tends to move merrily along.

Skip ahead if you’ve heard the following laundry list before, but:

- reassess what’s truly important to managing your organization’s risk. Are you just quoting from the handy Book of Best Practices, or have you identified very specific business risks with solutions you can sell to decision makers? You’re going to have to pick your battles carefully;

- are you plugged in to all those pesky departments with the big budgets which are most likely to go shopping for outside services and dump them off in IT’s lap of risk on short notice?

- have you been working with Legal, Risk Management, Compliance and The Business to define enterprise showstopper requirements which you’ll try to negotiate into every vendor partnership?

- do you have technology showstoppers defined in an accepted Enterprise Architecture Standard?

- are you ceaselessly lobbying the vendors - in vendor selection, contract negotiation, implementation, trade shows, cloud camps, blogs, etc, to upgrade their enterprise security, audit, monitoring, BCP/DR and compliance offerings?

- are you aware of the business’ strategic IT roadmap and proactively seeking out relevant vendors with good security features in their offerings, and proactively pushing those vendors towards your business buyers?

“Yes, Miss Business Line Vice President, Cloudocalypse sounds like a neat vendor partner. This cloud stuff is great. By the way, it says here they don’t support federated identity or LDAP, so that means if you choose this app in its current state of development, it’ll stick out like a sore thumb as the one major app not integrated into that enterprise SSO suite that everybody loves because everybody hates passwords. Why don’t I set up a call with Vendor’s tech team. I’m sure its on their roadmap. They said they’re serious about being our partner.”

Notice I didn’t mention “access control” or “policy” or “compliance” or “audit.”

These tend not to be fun conversations to have, for all parties concerned, but they’re the right conversations to have.

PS In the interest of reasonable disclosure, I own stock in AMZN. But I bought it in 1997, when I thought their whole bright future was shipping pounds of books from state to state, so make of my conflict of interest what you will. Also, I’ve been tempted to write “…For Buying Google” instead of “Amazon”, but “The Earth’s Biggest Book Store” is more of an acknowledged leadership position in clouderati circles, and I own stock in Google too, so what’s a blogger to do? I would have really liked to have written “For Buying Sun” - I’ve always had a soft spot for them - and they did put the dot in dotcom. But they forgot to get paid for it (well, Andy Bechtolsheim did angel fund Google, so that’s a fine last laugh at least for him).

PSS To all you wonderful cloud, SAAS and *AAS vendors, this is cool stuff you’re doing. But your enterprise features, the environmentals outside of your elevator pitch, the things that make us enterprise standard-bearer types all warm and fuzzy, are lacking. There’s work to be done, starting with identity and access management, and security assertion contracts, monitoring and reporting. I don’t just want to hear your sales critter say, “We’re HIPAA compliant.”

PSSS To all you wonderful old school enterprise vendors, this is cool stuff you’re doing. But your enterprise features, the environmentals outside of your elevator pitch, the things that make us enterprise standard-bearer types all warm and fuzzy, are lacking. There’s work to be done, starting with identity and access management, and security assertion contracts, monitoring and reporting. I don’t just want to hear your sales critter say, “We’re HIPAA compliant.”

Feed Speed Read #1

Ironically, I’ve been having trouble finding time to read all the articles in the Daily Cloud Feed, so I’ve embarked on a little experiment in speed reading. Read all the linked articles, took notes and formed opinions, in 1 hour, six minutes. Here’s my opinionated version of the highlights:

• Is SAAS a zero sum economic game?
• Economic analysis of “On Demand” market
• Channel partners useful for SAAS sales
• Apple rumoured to be cloudifying iWork and iMovie
• OpenQRM keeps working it
• Starbucks apparently offering cloud-based coffee (perhaps I’m reading too fast now)
• My wonderful wife doesn’t know what a Tag Cloud is!
• Interesting SAAS quote fest
• Soonr == “Mobile Me”-like iPhone client for office docs
• That’s so 1999 - Microsoft embraces hosted services
• Two SAAS VOIP providers merge after combined $192M in VC funding, at unspecified return for investors. Ahem…
• Another reason to stick my head back in the sand
• Cloud computing was a big trend in 2008!
• Cloud computing will be a big trend in 2009!
• Meg Whitman wants to run for Governor of California?! (see bottom of page, sorry, Rainmaker)

This Week’s Sign That The Cloudocalypse Is Upon Us

Apple’s ad for their consumer sync-your-life service jumped out at me for its cloudliness:

Note the use of the word “cloud” in 2 of the 3 blurb columns, and the central cloud image. The Cloud is now a sales tool for the world’s hippest, consumer-savviest, aluminum-friendly tech company.

And now I will commence to wax nostalgic and oversell the importance of this advertisement:

Back in the Nineties, I was a big fan of this little old thing called the Internet, before it become the bright shining series of tubes we all know and love. I would drive family, friends and co-workers to distraction by extolling the wonders of being able to communicate, share and learn over the intertubes. As I was living at the time in Florida, which is a long, long, LONG way from Silicon Valley, the omens of my vindication came in strange forms:

• going to TGI Friday’s in Broward and seeing a stack of “Do You Yahoo?!” beer coasters on the bar. I  promptly grabbed a stack of the blue ovals to take home, like Dr. Hoovey in Horton Hears A Who being excited about having some evidence that the strange world he believes in actually exists;
• walking across the Andrews Ave/New River bridge in downtown Fort Lauderdale during one of those endless outdoor beer and fish festivals that South Florida constantly hosts and being stunned when I glanced at the bridge railing and saw graffiti which read, “http//:TYRONE”. I don’t know who Tyrone was, but from the bug in the scheme portion of his URI I assumed he wasn’t some software engineer who had been drafted into his company’s outbound marketing team. I promptly snapped a picture of the graffiti, knowing that I might not believe it myself if I didn’t have evidence.

Nowadays, the Internet is everywhere, a part of the world culture, and probably spraypainted on many bridges, but it was a strange, nerdish byway back then, so finding signs that the Internet would become a mass phenomenon was heady stuff.

So how does my Florida experience with “advertising the Internet” (not to be confused with Internet advertising) compare over a decade later with the Apple ad experience?

I’m assuming this isn’t the first example of consumer “cloudvertising” What else is out there?

For the record, Jungle Disk’s web site doesn’t mention the cloud on the front page, the “Why It’s Better” page or the “How It Works” page.

Is this Apple ad “chicken” or “egg”? Has APPL’s outbound marketing team concluded that their growing fanbase is savvy to the benefits of the Cloud? Or is the strategic marketing team driving this, hoping for a cloud takeover because of some presumed weakening of MSFT, etc, etc, etc?

Of course, this ad was shown within a software application, as opposed to showing up in a suburban restaurant, so its less of an example of a meme going mainstream.

To me, this is one more, tiny sign of the inevitability of a cloud-based world, consumer and enterprise, regardless of whether that’s a good or a bad thing. It’s assimilation all the same.

At least this time around, its unlikely that there will be some AOL-like moment where we wake up in horror and realize that the noobs have ruined our clouds.

PS I’m happy to receive flames from any of the 32 nerds living in Florida, as we’ve probably already met, had beers and played D&D. It’s been too long, kids.

PSS Now I’m going to go out on the San Mateo Bridge and spraypaint “Mobile Me!” on the railing.

I’m Out of That Game

Greetings from Covelong Beach in Chennai, where I will be sitting for the next 6 hours or so. *

Reading Sam Johnston’s piece on the future of cloud computing, I came to a resolution:

I don’t care what the definition of “cloud computing” is.

First, we’re operating under an aspect of “you don’t predict the future, you build it.” Better to wait 5 years and ask what the definitions then, rather than spend the next 5 years fretting about it.

Second, definitions from the blogosphere and marketingland don’t solve enterprise and startup and consumer use cases. Taking a security example, saying “AWS is secure” or “AWS is not secure” or “AWS is HIPAA-compliant” is meaningless until it’s tied to a very specific problem/solution set. Secure against what, particularly?

The idea is that companies will have services which correspond neatly to the definitions, at which point your choices are simple and you happily start generating purchase orders, or reach for your credit card, as the case may be. But how will you tell from such a surface view which companies will actually meet your needs from the 85 others who will ultimately plaster their marketspeak with the appearence that they do the same thing as the companies that really can meet your needs?

The devil is in the details. Or the use cases, as it were.

In theory, the definition-forging process will help guide the way in the actual “building the future” process, but what I’ve seen so far has been far too muddy to be widely useful. It’s useful to give yourself something to talk about over hors d’oeurves at a cloud computing event, but after that…

PS…not an attack on Sam’s post…just got me thinking…although I perhaps didn’t like his use of monkey analogy…

* Note to self, the next time that a previously subdued spike in craving for American food breaks over the wall and you reach for the bag of otherwise not-so-tasty Lays potato chips in the minibar fridge, you may want to check the bag to see whether said comfort food was even made in the US, and not, oh, Village Channo, Patiala, Sangrur Road, Bhawanigarh, Distt. Sangrur, Punjab. Not that I could tell a taste difference, rather it’s a matter of principle perhaps akin to the Japanese banning rice imports.

A Heap of App Engine Reading

The ever-reliable highscalability.com has a whole evening’s worth of detailed reading about GAE piled into one place, including lots of reallllly interesting details on the difference between BigTable and RDBMS.

Google App Engine Analyzed In Light of the Historical Shift to Utility Power

This article is ancient history by blog standards, being from all the way back in April, but it gives a start at answering a question that was hot - but ultimately unanswered - at the recent San Francisco CloudCamp. In talking about how the enterprise adoption of cloud computing would depend in large part on how risks were addressed, shifted and mitigated, analogies were repeatedly drawn to past moves to “outsourcing something critical”. Examples ranged from the more recent shift from in-house to outsourced data centers, exemplified by Exodus Communications, to more ancient, classic tech shift examples such as utility power. However, the analysis that night didn’t quite get past the “Hmm, that’s an interesting point” stage. Kirkpatrick’s post takes the next step.

Botnets vs Clouds

The question is “Can cloud computing smite down evil zombie botnet armies?”

The answer, IMHO, is “No”.

For the blissfully uninitiated, botnets are overlay networks in which compromised hosts on the Internet are harnessed up to some master command server to order the botnet to attack targets on the Internet, e.g. enabling a distributed denial of service attack. It’s also a popular resource management tool to marshall hosts for use by spammers. Here’s a solid backgrounder on the subject.

The core research  idea - Self Cleansing Intrusion Tolerance - is an interesting security research topic. It starts from the premise that there will always be some attack that is more sophisticated than your defenses, so all hosts should eventually be assumed to be compromised over time, and restarted at some last know secure state. The “assume compromise” premise is realistic, if unpopular, and now we have modern tools which have caught up to the classic security good practice of “reinstall from a day 0 backup in the event of a security compromise”. With virtualization, there’s a ready means to return to day 0. SCIT takes this to an extreme, constantly reboot alternating slices of your virtual server farm, so that any malware has only a minimal time to work before it is removed in favor of a fresh install.

As an aside, such an approach would require having a way to know that a virtual host is not in the middle of servicing a user (human or otherwise) connection before shutting down, or the farm will have a built-in “flakiness” quotient in which a percentage of all user connections will be intentionally broken in the name of the greater good each hour, which is not such an elegant solution for routine use.

Nonetheless, the basic idea, of taking advantage of the built-in day 0 backup inherent in virtualization on a routine basis, is sound. Viewing it as a silver bullet against botnets and worms is not.

A hearty malware infestation is moving at a much faster rate than the 1 minute reboot cycle proposed. Some malware would simply reinfest a portion of, or even all of the same virtual servers every minute, with the remainder of the 60 second window being enough to launch outbound attacks. We’re talking generally about small programs performing complete operations in chunks of a few seconds or subseconds at a time.

Restarting might even be a boon for malware writers, since they can do some damage to other hosts and then know that their tracks will disappear in a minute. And an autoreboot pattern on a large virtual farm will be noticeable remotely, and then the botnet C&C software can be modified to a) flag the autorebooting hosts as such; b) perhaps have policy-based reinfection of same (if that’s even necessary, given the speed at which infestations can move); b) and policy might include selling botnet space in an autorebooting farm as a separate service at a different rate - “1000 forensics-proof temporal zombies for $49.95!”.

Computer installations all tend towards collecting cruft over time, with malware as a malicious and extreme form of cruft. Virtualization offers the convenient opportunity to periodically clean out the crap from a system, including the evil variants, so the general idea of regularly dropping back to a known good version is worth exploring. Its already being done on the client side in the world of thin clients. But the bots will adapt and propagate happily onward…

Erlang in the Cloud

There’s a lot of debate about how much can be abstracted away by “the cloud”, but on the other side there is always a concrete implementation to create a service. Here’s an interesting case study around a highly scalable consumer SAAS application -  Facebook’s Chat service. The article is a bit older (May), but it’s still timely, in showing how choice of implementation language matters in architecture. And Erlang is one of those programming languages that usually only comes up in rarefied telecom circles or when software engineers want to demonstrate that the feathers in their plume are brighter than others. Seeing it outside of its normal hiding places and showcased on a stage like Facebook is interesting in its own right.