Is Secure Clouds An Oxymoron ?


Of late, I am working on the cloud security mechanisms from multiple vantage points:

  1. Cloud Security mechanics for the provider interface between a Cloud Service Provider and a Cloud Service Consumer (including various brokers)
    • Protocols, elements et al as part of the DMTF Cloud Incubator wg. Our white paper will explain a little further on the architectures
  2. Embedding Cloud Security in the network, leveraging various network capabilities – available now and in the future
  3. Cloud Analytics for compliance reporting and forensics
  4. And finally, a comprehensive view of Cloud Security
    • On this front, I did a guest lecture [Is Secure Clouds An oxymoron?] at the Naval Postgraduate School, Monterey
    • My aim was to facilitate and provoke discussions than suggest any solutions – the deep discussions will come later …
    • The room was full, excellent audience, lots of participation and some very good questions …

I will write more on this topic, especially #1. There is good amount of work happening in the Cloud Service Provider <-> Cloud Service Consumer front …

And we are starting to prototype the Cloud OS/APIs with extended semantics (including interface into our own UCS compute and policy plane) in our Cloud Concept lab (in Ruby!).

I believe that Cloud Security would be more robust if we can interface *natively* from the Cloud OS layer, with the network, compute and  storage control/management/policy planes …

Cheers

<k/>

When is SaaS a Cloud SaaS ? Let us hassle with the (C)Hoff !


Fellow comrade Chris Hoff has an interesting blog post on what exactly is a Cloud SaaS. Me thinks most of his points miss the mark. Let me elaborate -

  • The dominant aspect of a Cloud eco system is the interface between the Cloud Service Provider & the Cloud Service Consumer – how the system is implemented is irrelevant
    • In Chris’s view “If a SaaS offering is not built upon an IaaS/PaaS offering ” then it shouldn’t be qualified as Cloud
    • He quotes NIST’s definitions as one authority.
      • While NIST has done a good job overall, I have a few problems with NIST’s definitions. They are not as crisp and crunchy in many places
      • Second, I am not that fan of prescriptive definitions. Definitions evolve
      • And finally Chris, later in the post, confuses definitions with requirements.
      • NIST’s work is a set of definitions not requirements.
    • Going back, the major advancement in the Cloud model is the independence from, abstraction/frangibility of the infrastructure from the offering.
    • In short one cannot define a cloud in terms of the infrastructure it is running, but define in terms of the interface, usage and programming model it offers
  • Even when we add other actors like Cloud Service Developers, Cloud Service Brokers and Cloud Service Aggregators, the picture does not change. In fact extending the actors make the argument (that clouds are instance agnostic) more stronger.
    • For example a Cloud Service Broker can provide a Cloud Consumer Interface and under the covers wok across different implementations from different service providers
  • Which brings us back to Larry Ellison’s question “What the he** is this Cloud Computing”? (Thanks Chris for the link and the question)
  • I had, in an earlier post, iterated the essential traits of Cloud Computing
    • In this discussion, it is the elasticity, multi-tenancy and the pay-as-you go model that make a SaaS part of the Cloud eco system
  • Chris is a little concerned about re-branding “old-world” services as Cloud Offerings. I am not. The Cloud Computing is a way of doing business, a model per se. There is no temporal aspect to it – i.e. if we were doing elasticity, multi-tenancy and so forth, years ago and didn’t call it Cloud then, doesn’t mean we cannot call it cloud now !
    • A Cloud by any other name …
    • Cloud is a moniker, an attribute of a service offering
    • Naturally the major argument is “if a Service Provider is implementing a CRM for multiple companies as separate instances (rather than a single multi-tenant instance), is it a Cloud ?
    • If an offering has interfaces like a Cloud, if we can pay for usage like a Cloud, if we can expand (or contract) usage like a Cloud and if many companies use the service like a Cloud, let us then call it a Cloud (irrespective of what is under the covers …)
  • Finally let us take the specific example of MX Logic and explore if their service offerings fit the Cloud moniker
    • Their e-mail archiving service is elastic, multi-tenant and pay-as-you-go. FIts the Cloud moniker (An I do not care how they implement it)
    • I agree that their e-mail filtering does not seem completely like any “accepted” Cloud services
    • But if you read thru their solution brief, it has all the thrills and chills of a cloud offering viz. no hardware, no licenses, no dedicated management et al
    • Well, it is not AWS but then the Cloud moniker is not restricted to AWS either, it is much more than that …
    • In short, Yes they do (and they can ;o)) , and I rest my case (and start the hassle ;o))

I have a few more thoughts, will update as I get time  … We are off to Alaska till the 17th … so need to pack …

And Of course, thanks to Chris for raising this topic – the overarching concepts are very important because they influence our view, the architectures we develop and  …
Till then … Don’t trouble trouble when trouble troubles you …
Cheers

<k/>

Marc Andreessen with Charlie Ross – Innovation, mobility, Social Media & Viral platforms


A very informative interview – Charlie asked interesting questions and Marc has equally insightful answers & discussions.

Video and full text at http://seekingalpha.com/article/121915-marc-andreessen-on-charlie-rose-internet-and-new-media-companies

For the attention challenged my bullet notes:

  1. Future of news papers

    • Two words – kill it ! Stop Printing newspapers !
    • Fundamental structural change happening in the newspaper business. It is happening in all branches of the media industry but the newspaper is at the front
    • Investors have seen thru the transition. But the industry is still trying to survive.
    • An interesting analogy : Chronic pain vs acute pain – How many years of chronic pain vs one year of acute pain for transition ;o)
    • Acute pain will be acute but inevitable. But need to build for future.
    • Wrote a blog New York Times deathwatch ! “What is with you & NY Times ?” Charlie asks. Blog post no longer there
  2. Social Media Industry

    • Facebook: Facebook 175 million users, half of them use it every day; many use it 50 times a day. On its way to 500 million users !  Mark is on the board of directors. 135 million active users  equates to 6th most populous country in the world !
      They are taking a more organic growth model if they had taken the normal advertising, they would make been over a billion dollar in ad revenue. Facebook has tremendous potential for example could monetize the home page just a question of how they choose to extract the value. They want to build a long term business, eyes way on the horizon and big vision (to connect everybody on the planet (what about beyond?))
    • Ning: Ning has crossed 20 million users adding 2 million users a month. There are a million social networks on Ning !
    • YouTube, Facebook et al – under-monetized assets
    • Twitter as a real-time electronic nervous system – says you could twitter when a plane lands in water. May be people did, but I wouldn’t be twittering if my plane crash landed on water ;o)
      Story of twitter – Evan Williams had a podcasting company ; raised ~3.5 million; didn’t succeed and returned all (Evan made up the difference!) Twitter was a side business at that time, it took off. So they changed focus, closed the podcast operation and focused on Twitter
    • Social networking is here to stay and it’s potential is just beginning. Marc is big on “viral” applications
    • The Obama campaign employed the social networking approach and philosophy as the engine for fund raising, volunteer coordination
    • Viacom suing YouTube wrong strategy – They should be using it to distribute their videos ! Every time there is a Viacom video in YouTube, there should be a buy button! Distribution channel that bring traffic to their properties !
      Napster – 20 million people showed up. If music industry had a buy button they would have been successful. When people line up, find a way to monetize it
  3. Innovation

    • More opportunity than ever before – Cascading effect – every new layer of technology makes another layer of innovation possible and that keeps rolling
      There is an interesting discussion of Intel’s transformation from a memory chip maker to a microprocessor maker in around 1985; was not an obvious bet to make, but they had to do it to escape the overhang of Japanese memory makers who were crushing Intel.
    • Innovation Cycle: Silicon graphics was out of business due to Intel’s microprocessor and that freed up engineers to work on nVidia/ATI which in-turn is posing challenges to Intel in video and graphics business
  4. Mobility, iPhone & the new landscape

    • Usually people talk about a new idea for long time, finally the technology comes together and the thing takes off – internet in ‘95 is an example, mobile is in that stage now
    • iPhone is a template every other vendor will copy. For first time iPhone real os, sdk and an application delivery infrastructure – 1st time all of these over a fast network
    • iPhone itself is fantastic – beams from the future as Marc characterizes it – and inspired a lot more creative thinking around it
    • He mentioned an investment of his Qik [http://qik.com/], where any phone can be the source of live streaming video to any device or other phone; will be very effective as phones with HiDef videos capability in 2 years
  5. The Magic Business

    • Bill Joy once said : some products have the “it works” feature !
    • There were more than thirty-five search ventures before Google; but Google search really worked in terms of the core technology plus they unlocked the ad business model.
    • Marc characterizes this as the “Magic Business” which happens once in 10 years or so – Cisco was a magic business, intel was one, so was Microsoft and even Amazon. With Magic Business, one goes for scale and size. People had written AMZ off in 2002, but Bezos had the fortitude and foresight to stick with the long vision
  6. New form factor

    • Marc believes Kindle is the new form factor along with iPhone and netbook; each with a different but effective purpose.
    • Kindle is the web-pad, a 7” form factor, the next opportunistic screen size which people will for video, telephony and conferencing.
    • Most probably the next new product from Apple would be this 7” e-Book, conference, web appliance !
  7. New VC Firm with a slightly different focus

    • Marc is starting a new VC fund with Ben Horowitz. They have invested their own money in the last 3 years in 36 companies
      They focus on smaller companies – 100K-200K; may be 500K to million. Marc is of the opinion that a whole generation of startups do not need very much money (“very much” defined as  200K – 1.5 million)
    • His new VC firm’s name – Andreessen Horowitz ; can be a law firm or a vc firm! Abbreviates to A to Z and will get listed first in yellow pages – could be a good name for a tow truck business as well!
  8. Impact of the recent economy related challenges

    • During the 2001 recession, we were the nose of the dog , this time we are the tail. Companies on valley do not generally run on debit financing and so affected the least. But the big recession will impact salesSilicon Valley will be the tragic beneficiary from damage in other industries – like banking et al
    • <KS>
      • I thought the discussion on new types of banks was a little asymptotic but the concept of new way of just-in-time credit scoring and credit provisioning by Bill me Later is interesting.
      • On a tangential discussion, Marc was referred to “Good Banks, bad banks and ugly Assets” and ideas by Paul Romer
    • </KS>
    • Innovation will continue tons of innovation will be bottled up in the next 5 years. Companies like Google, YouTube and Facebook developed thru the last bust. Look for return in 7-10 years from today’s funding.

Updates

  1. Good Comments. Thanks.

A Berkeley View Of Cloud Computing : An Analysis – the good, the bad and the ugly


I read thru the technical report from UC Berkeley, Above the Clouds: A Berkeley View of Cloud Computing with interest. My analysis:

<summary>

  • As an undergrad work on cloud computing, the paper gets an A+. But as a position paper from eminent academics, I can only give a C-. Granted it correctly identifies many of the trends and obstacles. But that material is widely available !
  • With a title “A Berkeley view of cloud computing” the report misses the point. “A Berkeley observation…” is more like it – view requires original thinking and interpolation, which the report lacks.

</summary>

<the_good>

  • The authors got some of the essentials of Cloud Computing right viz: infinite capacity, no up-front commitment and pay as you go.
  • The three classes viz: amazon , Microsoft and the Google model is interesting. But there are more in-between.
  • They have some good points on the cost advantage of power et al and leveraging that aspect by building datacenters at the appropriate locations.
  • The new application models viz. analytics, parallel batch processing, compute-intensive desktop applications and so forth are excellent observations.
  • They have done some good work in characterizing elasticity. Pages 10 and 11 are good read – the models are very simplistic, though.
  • They also have done a good job in showing the economies of scale that can be achieved by a cloud computing infrastructure.
  • I like their assertion that “there are no fundamental obstacle to make cloud-computing environments secure as well as compliant to data and processing rules. Declarative policy and enforcement thereof is my answer.
  • They have correctly identified scalable storage as one of the bottlenecks. The BigTable(Google), Dymo(AMZ) and Cassandra(facebook) all are solutions for the challenge.

</the_good>

<the_bad>

  • But, they got the model wrong ! The essentials of Utility Computing is the consumption model not the payment model. No doubt the pay-as-you-go model is attractive to startups, but the payment model is the second order effect. For enterprises and other organizations, the value proposition is the elasticity and the just-in-time availability of resources.  Even for startups the pay as you go is attractive but elasticity is much more important.
  • Argument about increase in performance and resultant cost reduction. This just Moore’s law and it is achievable within IT environments as well as a cloud computing space. I think computers are on a 5 year amortization schedule and depreciation. And a refresh can be done – with associated efficiency whether they are a cloud provider or an IT shop.
  • I think the major disconnect in the paper is the basic definition of a cloud as public. The artificial separation of public/private clouds and the focus on payment were the two areas where their definition has gone awry. Cloud is an architectural artifact and a business model of computing. But clouds are clouds – internal or external, public or private. The internal vs. external is only a spatial artifact – which side of the firewall. Not worth a demarcation when we talk about the domain of cloud computing.  Which side of the internet (firewall) does the cloud infrastructure lie, should not be the criteria. By their definition, they have disenfranchised the whole set of clouds inside organizations. The internal-external cloud integration across data, management, policy and compute planes is an important topic which this model conveniently skips. Also as I mentioned earlier, utility is the consumption not a payment model. A big organization can have a cloud computing infrastructure and it’s business units can leverage the elasticity – no need for a credit card, a charge back model will do.

</the_bad>

<the_ugly>

  1. I really didn’t get the “statistical multiplexing” they mention a few times. What exactly is this and what is the relevance ? Just a buzz word to jazz up the paper ?
  2. I literally got lost in their characterization of DDoS attack and the cost models there of on P.15. Really convoluted and it does not change for traditional vs. cloud. They found a break-even point for DDoS attack based on very slim assumptions.
  3. I do not think the data transfer bottleneck, as described in the paper (P.16), is an issue. Who is going to transfer 10TB of data routinely for cloud processing ? Looks like a force fit for some calculations done by someone.
  4. The report has no useful tables or equations. Equations 1 and 2 (which are the same, btw) are not right – in thesense that the datacenter cost includes the utilization and I do not think we need to accommodate for it additionally.
  5. I am sorry to say all the cost models and the equations look forced and very unnatural. Even the assertion of 1/5 to 1/7 cost advantage of a datacenter is at best questionable.No value what so ever – sorry folks

</the_ugly>

Updates:

  1. Good comments. Thanks folks.
  2. James Urquhart has an excellent blog on the subject. Thanks James. He is more generous than me ;o)
  3. [Feb 19,2009] Blog from GoGrid – good analysis