Cloud computing security

Amazon EC2 zap smash: everyone’s cool with it

In hindsight, the lightning-strikes-Amazon-data center story is a tidy little example of a nu-media bubble. Someone should make a graph of the coverage indexed by hysteria, outrage, maniacal prophesy and supposition and tweet it or something.

Having now had a nice talk with real live Amazon people, it seems they are treating it mostly as a public relations problem, and the real issue is transparency.

You see, for Amazon watchers, the Holy Grail is to find out exactly what and where Amazon’s servers are. But Amazon isn’t keen on handing out details, likely because the reality is messy and because they might be making it up as they go along. Those Amazon watchers might want to relax. Sure, Amazon is a going concern, but it doesn’t have the kind of scratch or incentive to re-invent the wheel server like Google or Microsoft do.

Further hurting Amazon’s cause is that most hosting companies are more than happy to tell you what they run. Verizon, for instance, recently boasted about its new “CaaS” hardware. Pricing also starts at $250/month, and that’s before you fire up a single server.

Amazon is trying to run away from that game and focuses on delivery. But after a certain point, people do really care about the nuts and bolts, since unlike semi-durable consumer goods, an EC2 instance is an ongoing concern, and users want to understand how their application is staying up (I know — so last century, right?).

I did have a chance to ask about Amazon’s hush-hush data center facilities. I didn’t get much more than a general admission that “Availability Zones” are usually located in different data centers, and that there are four in the US as of June 9. Amazon was also apparently startled to discover that one facility had electrical exposure to the Great Outdoors. That’s still progress. Hopefully, there’ll be more. I’m waiting, and I know lots of others are as well.

Cloud Security Alliance in favor of open standards- regulatory agencies to feel economic pressures to open to cloud.

Very interesting conversation with Nils Puhlmann, a co-founder of the Cloud Security Alliance originally about the DTMF initiative for open standards, but went out and about a bit; here are three nuggets which I was interested to hear about:

Security: Puhlmann is of the opinion that a) as much transparency as possible would have direct benefits to cloud providers, since “If you do everything well, why would you not want to show your customer?”.

He feels that customers would actually be more likely to buy into vendors that could show best practice security under some kind of standards model, since it would free customers from glacially slow and costly audits and testing- enterprise could buy into a public cloud without a hitch under the right conditions(read: bomb-proof security standards) and b) “within 12 months we will see many things in cloud security that will have completely failed,” either through backing the wrong horse in terms of security model or through market forces that ebb away from a chosen track.

He thinks that consensus on cloud security will emerge in baby steps as the marketplace learns what works and what doesn’t and what pays off and what doesn’t.

Compliance: Puhlmann says, “What we see for some companies,” that have regulatory oversight, “are compliance rules that rely on the notion that you have complete control over your data,”which, if you are using public clouds, is patently untrue.

But enterprise wants to use public clouds, small and midsize companies that interact with regulated agencies will want to use it; Puhlmann points out that the $19B Electronic Health Records initiative, for instance is “simply not going to happen without cloud” technologies.

FIM: Puhlmann raises hopes of a universal federated identity model, since as data gets more and more distributed, “a good federated identity standard would provide the means to track and control who has access to your data across private enterprise and the public cloud.” and believes it’s a problem that remains unsatisfactorily addressed, cloud or no cloud, but this drive toward IaaS might provoke a more catholic solution.

And the long and short of addressing a lot of these concerns lies in the hands of the agencies that regulate so much of the data about us personally.

Puhlmann thinks that dollars and sense are going to come to a head much quicker than many anticipate, since the poor economic climate is driving an awful lot of fence sitters off the palings and into the clouds, and then,”economic pressure will become so immense that regulators will have a big lobby standing behind them to force them to act,” to catch up to cloud technologies and enact regulations that allow controlled data to exist in public cloud infrastructures.

And who am I to doubt him? A reporter, so of course I doubt him, and this is well-considered analysis, not factual reporting, but from a common-sense perspective, everything he says holds water, and it’s going to be terrifically interesting to see what happens with the cloud rubber meets that federally regulated road.

VMware touts benefits of private cloud computing, VDC-OS

VMware, Inc. is on a mission to show companies that they can get the benefits of cloud computing without handing their mission critical applications over to an outside provider; with the upcoming Virtual Data Center-Operating System (VDC-OS), IT will be able to create secure, private cloud environments.

The yet to be released VDC-OS represents the evolution of the VMware Infrastructure; the platform, which is due for release sometime this year,  will transform traditional data centers into internal cloud environments. The business case for creating an private cloud is less complexity in the data center; software like VDC-OS will virtualize and automate systems to the point that there is less ‘knob turning’ and more time spent on tasks that improve business, said VMware Sr. Director of Product Marketing, Bogomil Balkansky.

“Too much of IT budgets are spent on management tasks and keeping the lights on, instead of on tasks that actually improve business,” Balkansky said. “Infrastructure complexities should not get in the way of this, but they do.”

While external clouds like Amazon EC2 offer the same benefits of internal clouds, VMware is betting that large enterprises won’t send their mission critical applications outside the four walls of their data centers to these providers. Instead, they will want to create private cloud compute infrastructures using software like VDC-OS.

“There are security challenges with public clouds; enterprises don’t trust [outsiders] with their customer and financial data,” Balkansky said.  “We want to transfer the notion of cloud computing to internal data center operations.”

VMware is also hosting a webinar on January 29 about Internal Cloud Computing, if you want to hear more on this.

Balkansky said private cloud computing environments will gain traction in large data centers, but that could just be a self-serving prophecy. After all, most public cloud providers won’t pay for VMware software and use free and open source Xen instead; hence, VMware has no place to go but within the enterprises that already know and love VMware.

While VMware is on an private cloud advocacy mission, as the largest virtualization provider on the planet, it can’t ignore the need to play well with public clouds. That’s where VMware’s vCloud initiative comes into play; it will eventually allow VMware users to move their virtual machines on demand between their datacenters and cloud service providers, and over 200 partners have signed up to support vCloud so far, Balkansky said.