The Cloud in HP’s Cloud (Part 2): HP Discover, the Enterprise and AWS Cloud

imageLast month I attended HP Discover (disclosure: my participation was funded by Ivy World). The IT war already started however HP stands still not taking initiatives and real risks as true leaders should take. At the three-day conference I learned why some companies don’t last and why this IT giant is at a great risk of losing in this new era IT battle. This is a story of a lasting company that might have already lost.

> > > HP’s Washes the Cloud

Continue reading

The IaaS Management Market: Evolution, Vendors and More

A lot has already been said about the false cloud use where the IaaS platform utilized as an hosting extension of the IT organization’s data center and not taking advantage of the elasticity benefits to generate a cost effective and scalable IT operation. Using the public IaaS whether it is Amazon, Rackspace or any other vendor means using a highly dynamic environment which presents an increasing complexity hence loss of control. Checking the list below I can say that cloud (including all its layers IaaS, PaaS and SaaS) control basically contains the same aspects as the good old system management.

What is “System management” ?

“refers to enterprise-wide administration of distributed systems including (and commonly in practice) computer systems.”

“System management may involve one or more of the following tasks:

  • Hardware inventories
  • Server availability monitoring and metrics
  • Software inventory and installation
  • Anti-virus and anti-malware management
  • User’s activities monitoring
  • Capacity monitoring
  • Security management
  • Storage management
  • Network capacity and utilization monitoring”

Read More on Wikipedia

Continue reading

Developers are from Mars

The three layers of cloud computing IaaS, PaaS and SaaS occupy the headlines with significant capabilities undergo continuous improvement to host services in the cloud. This growing market is slowly changing so that offered services will become generic. The current evolving struggle is the deployment and management of SaaS applications in the cloud, Gartner calls this cloud market portion SEAP (Software Enabled Application Platforms). We will dare to say that developers are from Mars and cloud providers from Venus, let us explain in detail why.

SaaS application developer builds the application architecture structure including the database system, the business logic and the user Interface. The software developer (or the SaaS vendor for that matter) invests on building these main three infrastructure cornerstones in order to bring life to the business idea and launch a new on-line service.

Traditional software delivery puts the responsibility of deployment and maintenance in the hands of the customer. In contrast, the SaaS model key includes building the infrastructure wrapper that allows meeting the requirements to deliver it as a service. The change from the licensing model is that the SaaS vendor (the developer) is also the integrator and the responsible to support standards by adopting technologies which makes the software as a service.

The most popular example is the support of multi-tenant. This feature enables the scalability to perform extensive SaaS sales and effective maintenance on the  non-physical infrastructure.  The virtual infrastructure brings higher level of complexity which requires additional maintenance means. This complexity intensifies as the number of customers grows, hence the demand for more cloud capabilities and resources.

Developers use existing frameworks that enable a short and efficient development such as .NET provided by Microsoft or Ruby on Rails brought by the open source world. Software architects already understand that the application multi-tenancy is a part of the system infrastructure to enable scalability, but is the that enough to make an application as a service? the answer is no, there are more considerations the developer need to bear in mind when planning the architecture of software as a service.

Why Multi-Tenancy ?

In order to plan the development of a robust and automatic scalability, the software architect must understand the cloud dynamic nature that is to say the basic option to start and shut down resources automatically. The software vendor should pick the IaaS vendor as part of the initial development step, learn the IaaS platform’s API capabilities and make sure that the development roadmap includes also a tight integration with the cloud facility. The IaaS platforms offered are still young and automation deployment is still limited due to infrastructure barriers. Most of the IaaS platforms doesn’t provide convenient tools to deploy the application, therefore the SaaS vendoר is forced to invest in purchasing existing tools or even implement independently. Today we still see vendors that are not aware of these requirements as they are not pure application but operations oriented.

Learn how to Scale IT – an article by CloudInsights.org

Check out I Am OnDemand terminology page and learn more about the four levels of Multi-Tenancy.

Another aspect in the SaaS development discussion is the option to build the system on a PaaS. There is a good number of PaaS manufacturers that offer products enable development capabilities as a service and by that solve the developer’s need to maintain a scalable service as described above. We can divide the this group of products to following two categories: 

  1. Objects as a service – force.com is an example for such vendor. The developer will buy the option to use the out of the box software objects to implement a new application. 
  2. Runtime and database as a service – here we can mention platforms as Heruko, Google Apps and MS Azure.

Gartner predicts a growth in the amount of platforms that provide the wrapper for the web development of new and existing application. These platforms already have taken a significant part in the cloud evolution. The number of PaaS providers grows while the existing vendors continue to extend their on-demand tools portfolio, enabling a wide range of services for operation, management and distribution of SaaS applications.

Learn more about the PaaS market

Besides the actual system scalability issues presented here, there are much more “developing for the cloud” considerations such as integration, develop for resources’ optimal utilization and SaaS development with the fast changing clouds’ platforms. Check out Cloud development: 9 gotchas to know before you jump in, an article brought to you by InfoWrold.

The relationship between the actual application development and the operational side of the application becomes stronger. While the SaaS vendor’s board should think on all cloud adoption strategic aspects, the vendor’s software architect as well as the product manager should think “out of the application box” to be able to deliver their product as a service.


Special thanks for Amit Cohen who raised this discussion and took a part in composing this article. Cohen is an experienced  SaaS & Cloud computing consultant for the enterprise who held executive positions at several international software vendors over the last 10 years.


The Cloud Security Part 1: For Dummies

From an attacker’s perspective, cloud providers aggregate access to many victims’ data into a single point of entry. As the cloud environments become more and more popular, they will increasingly become the focus of attacks. Some organizations think that liability can be outsourced, but no, and I hope that we all understand it cannot. The contract with your cloud vendors basically means nothing, the ISVs or should I say the `SaaS providers`  still holds the responsibility, so rather than focusing on contracts and limiting liability in cloud services deals, you should focus on controls and auditability. 

“Dropbox, … deceived users about the security .. The FTC complaint charges Dropbox with telling users that their files were totally encryptedWired Magazine

The cloud customers from the ISV who uses Amazon AWS to the small buisness who uses online tools all the way to the end users become pretty smart hence very careful with the security of the online services which they use. The users are able today to perform basic security examinations to the system such as checking the quality of the SSL encryption or even executing enhanced test of systems security’s roots that are done by the enterprise customers of the service providers.

The economies of scale allow the IaaS vendor to induce specialization which allows the dedicated security team to concentrate exclusively on the security issues. The uniformity, homogeneity and the resiliency of the cloud computing facilitate platform hardening and enable better automation of security and disaster recovery procedures.

ISVs and IT organizations that deliver web applications on any end point devices such as smart phones and tablets actually concentrate all the data in the cloud and by that protect the data of stolen and lost devices.

Mark Bregman, CTO of Symantec points on five important guidelines enterprises should consider as they reshape IT policy to enable mobile devices to function seamlessly and securely in the cloud.

Together with the benefits, we can point on the cloud’s weakness points such as system complexities build from shared multitenant layers and it is a fact that hackers know where that data stored exactly. With cloud computing, a task that can take several days to run on a single computer will take only minutes to accomplish on a cluster of hundreds virtual machines. Because cryptography is used widely in authentication, data confidentiality and integrity, and other security mechanisms, these mechanisms become, in effect, less effective with the availability of cryptographic key cracking cloud services. Such case happened this year when servers owned by Amazon were used as a staging area for the hack that crippled Sony’s online entertainment network, according to a source quoted by Bloomberg.

—————————————- Key Security and Privacy Issues

No doubt that the biggest obstacle these days in the cloud computing market is security. Once security breaches are discovered an immediate and a severe negative impact on the service reliability will take place hence on the ISV business. The following list presented in the NIST report highlight privacy and security related issues that are believed to have long-term significance for cloud computing.

Source: Guidelines on Security and Privacy in Public Cloud Computing / by NIST

1 – Governance – Policies and procedures for privacy, security, and oversight could be overlooked and the organization put at risk.  Audit mechanisms and tools should be in place to determine how data is stored, protected, and used; to validate services; and to verify policy enforcement.

2 – Compliance – Compliance involves conformance with an established specification, standard, regulation, or law.  Various types of security and privacy laws and regulations exist within different countries at the national, state, and local levels, making compliance a potentially complicated issue for cloud computing.  The ISV or an IT organization must scrutinize its customer’s legal requirements together with its cloud vendors’ compliance. As an exmpale for an IaaS compliance you are welcome to check the up to date Risk and Compliance (May, 2011) publish by Amazon AWS.

The most popular known are the standard ISO 27001 and the audit statementsSAS 70. There are also specific standards for government 
organizations (FISMANARA) or specific for an industry such as HIPAA or PCI DSS.

      

4 – Trust – The SaaS vendor (developer) relinquishes direct control over many aspects of security hence choosing the cloud vendor should be carefully done taking in mind that the IaaS and PaaS providers have an inside system access including their employees, contractors and other parties that have received access to an organization’s networks, systems, and data to carry out operations. There must be a tight collaboration of the cloud providers in the IaaS and PaaS layers but this doesn’t mitigate responsibility of the SaaS vendor to make sure that the arrangements be disclosed in before closing the agreement with different cloud providers.

3 – Architecture – The architecture of software in the cloud comprises hardware and software.  NIST report provides more details about the different layers that need to be protected:

  1. The `hypervisor` or the virtual machine software.
  2. The virtual network including software-based switches and network configurations
  3. Ancillary Data – cloud providers hold significant details about the subscribed accounts as well as the stored virtual machine images data.
  4. Application security in both client side and server side.  

4 – Identity and Access Management – Data sensitivity and privacy of
information have become increasingly an area of concern for organizations and unauthorized access to information resources in the cloud is a major concern. On this matter you will find market standards such as SMAL  for identify the user  and XACML to control access to resources.  There are today many initiatives and startups that delivers tools for access management and user provisioning for SaaS systems. One that I liked was mentioned in one of my past posts – Simplified, the company products support the enterprise with universal single sign that works across SaaS systems that serves the enterprise users.

5 – Data protection – The data isolation is one of the major security issues that are raised by potential SaaS users and customers. Data  isolation basically means that a specific subscriber (user) will not be able to browse to other tenants’ data using the shared environments. Data protection includes also strict procedures when storage is moved or backups are kept. Data must be secured and encrypted while at rest, in transit or in use. Standards for communications protocols and public key certificates allow data transfers to be protected using cryptography.

6 – Availability – Always and also since Amazon failure last month, the discussion about availability valid and now it is even more intense. The level of availablity hence reliability of a cloud vendor should be examined carefully including its capabilities for backup and recovery to ensure the recovery and restoration of disrupted cloud services and operations. The SaaS vendor should also plan its own disaster recovery using alternate services, equipment, and even offshore locations. This should be planned inside its cloud using cross cloud facilities and even cross cloud vendors.

7 – Incident response -Organized method for dealing with the consequences of an attack against the security of a computer system.  The cloud provider’s role is vital in performing incident response activities, including incident verification, attack analysis, containment, data collection and preservation, problem remediation, and service restoration. As in the last section for availability the SaaS vendor should also take its own security measures to protect the application layer as well include using VPC/VPN, application audits, antivirus, etc. 

You are welcome to read more about that in the NIST report “Guidelines on Security and Privacy in Public Cloud Computing”, I suggest you to check the table in section 4.1 for guidelines for organizations to follow when planning, reviewing, negotiating, or initiating a  public cloud service outsourcing arrangement.

What with the security of private clouds ? I managed to find an interesting article that presents the obstacles stand in front of an organization that want to have its private cloud secure and compliance with  SAS70, ISO 27001 or PCI DSS. The overall conclusion self-evident, it is absurd that an organization would prefer to go through the hassle and cost of getting audited themselves in order to keep their IT in-house, when the organization could instead choose an IaaS vendor that is already have all the compliance, assurance and accreditation boxes ticked. You are welcome to check an overview of Amazon AWS security processes (May 2011) as an example of those capabilities.

To summarize, SaaS vendors (obviously for SMB and Enterprise as well) should recognize the cloud vendors’ lock-in and together with that, they should leverage the IaaS vendor capabilities, specifically the security capabilities as they should relate to them as differentiators and pure advantages in their market.

Stay tuned with `I Am OnDemand` and check part 2 next week – The Cloud Security Part 2: Vendors and Market Perceptions

The PaaS Market: Overview, Definitions, Vendors and more

> > > > >   Market Overview and Definitions 

According to Gartner’s PaaS Road Map report, cloud-based solutions will grow at a faster rate than on-premises solutions. By 2015, 50% of all ISVs will be SaaS providers. Most enterprises will hold major part of their business applications running on the cloud computing infrastructure, using PaaS and SaaS technologies directly or indirectly.

It is confusing to describe PaaS as one category as there are different values presented by the different ISVs whom developing and delivering solutions on different layers. Gartner’s report lets categorize the market of PaaS into the following 3 layers –

  1.  Application platform as a service (aPaaS) – providing a complete application platform that is used by the actual application’s components (those which support the business process) or by its APIs. Business-level power users and developers gain speed-to-market and the ability to focus on bringing their expertise to the business process layer rather than having to build the whole application infrastructure.
  2. Software infrastructure as a service (SIaaS) – those services provide management for software parts such as online cloudy database, integration and messaging. This layer is similar to the previous layer as it provides the development tools to build an application in the cloud, but it’s targeted at developers rather than business-level power user.
  3. Cloud enabled application Platform (CEAP)  – Software middle-ware tothat support the public and private cloud characteristics including monitoring, complexity management, scaling and optimization.

There’s been a veritable explosion of platform-as-a-service choices coming onto the market in the past month or two, and the pace of introductions is accelerating.

During the next two years, today’s segmented PaaS offering market will begin to consolidate into coalition of services targeting the prevailing use patterns for PaaS. Making use of such reintegrated, targeted suites will be a more attractive proposition than the burdensome traditional on-premises assembly of middleware capabilities in support of a project. By 2015, comprehensive PaaS suites will be designed to deliver a combination of all specialized forms of PaaS in one integrated offering.

> > > > >   PaaS Providers and Products —

There are several well-known PaaS providers such as GoogleApps, Heroku,  Microsoft Azure  and of course Force.com, the most mature and rich PaaS for those who want to build a classic forms-and-database SaaS application in the “old” Salesforce.com fashion.

“We don’t spend any time talking about the acronyms,” Andy Jassy, senior vice president of AWS, told eWEEK. “All those lines will get blurred over time. It’s a construct to box people in and it fits some stack paradigm. We started with raw storage, raw compute, and raw database in SimpleDB. And we’ve added load balancing, a relational database, Hadoop and Elastic Map reduce, a management GUI… All those lines start to get blurred, and you can expect to see additional abstraction from us.” Read more on eWeek

 SpringSource (by VMWare) –  Cloud Foundry, VMWare PaaS offering works with a variety of development frameworks and languages, application services and cloud deployment environments. It includes the SpringSource Framework, an enterprise Java programming model that VMware picked up in its August 2009 acquisition of SpringSource. The Spring Framework is in use by about 2 million developers worldwide as a lightweight programming environment to make applications portable across open-source and commercial application server environments. Read more on crn.com

Caspio – `Cloudy` online database platform to support online software development. One of the best features of Caspio is its “embed” feature which offers an embed code for a Caspio-based “datapage” much the same way that YouTube offers embed codes for its videos. Caspio handles blobs at the field level (in other words, there’s support for video, images, and other large binary objects) and supports SQL/API-based access to its databases. Caspio has a personal “version” that’s free but is limited to 2 data pages (essentially forms) and then starts at $40 per month for 10 datapages, 1 GB worth of data transfer and 1 GB of storage. There’s a corporate version that goes for $350 per month (more datapages, capacity, and “logins”) and several levels of subscription in-between. See how Caspio works or read more about this vendor on informationweek.com

Gigaspaces – Gigaspaces’ core product the Gigaspaces XAP is an enterprise-grade, end-to-end in-memory application server for deploying and dynamically scaling distributed applications. If an ISV or any IT organization needs to boost workload performance and has business-critical Java and .NET applications. that can be spread over a computational or data grid configuration, XAP can be a good option. GigaSpaces started as a firm that could manage a server’s local cache; it expanded to manage the combined cache of a cluster of servers, then figured out how to make that cache expandable by managing the cache as servers were added to the cluster. In its latest iteration, the GigaSpaces CEAP (Cloud Enablement Application Platform) makes application business logic elastic by managing its multiple moving parts in a shared memory system.The cloud-enabled platform allows “continuous scaling of application data and services. Think of Amazon style of SimpleDB scaling,” Nati Shalom, CTO and founder of GigaSpaces. Check out Gigaspaces.com and read the recent news brought to you by InformationWeek.com

OrangeScapeOrangeScape is one of the 10 global companies featured in Gartner’s ‘PaaS competitive landscape’ report and also has been featured in all the PaaS reports of Forrester.As an aPaaS provider, Orangescape Studio offers an UI similar to modern Excel application so the business users can design an application by capturing various aspects of the application declaratively in an XML-like format which is then executed by the proprietary Orangescape virtual machine. The core of the virtual machine is their main platform, which is nothing but a rules engine that works on a complex networked data model. Read more on CloudAve

Cordys – aPaaS vendor Delivering MashApps Cordys Process Factory (CPF) is a Web browser-based, integrated cloud environment for rapid Cloud Application Development. Cordys Process Factory allows users to use and sell Cloud Applications, and also subscribe for applications built by others in the Cloud Marketplace. All of this is achieved through visual modeling, without having to write code. Check out Cordys and read more on getApp.

There are other interesting PaaS providers such as Joyent, MuleSoft, CloudBees, Appistry and more, I will release another post on those later on this month so you are welcome to stay tuned with `I Am OnDemand`.

> > > > >   Choose Your PaaS Providers

Traditional ISV conversion to become a pure SaaS vendor should carefully plan its application deployment strategy. By learning the PaaS Market and selecting its relevant vendors in this market the traditional ISV will present a fast go-to-market and eventually a smoother conversion. Together with those benefites, I find that the ISV consideration of using a PaaS provider will make the smart ISV’s CTO to understand the strong lock-in to whichever PaaS providers the CTO will choose. This will make the CTO nervous as the lock-in feature on the On-Demand market is with no doubt more aggressive.

Check those important criteria to consider in evaluation PaaS vendor.

Learn more about PaaS vendor lock-in

To summarize I can say that no doubt that PaaS has an important part in the adoption of cloud computing by the ISVs and the IT organizations. The PaaS players are technology-rich companies, the market definitions and roles are not completely clear and it seems that PaaS evolve slower than the other two layers (i.e IaaS and PaaS). As in every evolving new market you can expect a wave of innovation and of hype as there today new business opportunities for startups companies, the leading software vendors and the IaaS giants.

Do you still have a lack of knowledge with basic market definitions? Check I Am OnDemand Terminology Page

Gartner: IaaS forecast to grow from an estimated $3.7 billion in 2011 to $10.5 billion in 2014

“Startup IaaS pure-plays, Web hosters, carriers and data center outsourcers are all competing in the cloud computing IaaS market. However, many providers have a market viewpoint that is restricted by the particular use cases that they see in their sales pipeline, and this can lead to tunnel vision,” Read more

PaaS news again and now it is Gartner

Gartner Says 2011 Will Be the Year of Platform as a Service

“Early consolidation of specialized PaaS offerings into PaaS suites will also be evident. New vendors will enter the market through acquisitions or in-house development. Users can expect a wave of innovation and hype. It will be harder to find a consistent message, standards or clear winning vendors.”