The Cloud in HP’s Cloud (Part 2): HP Discover, the Enterprise and AWS Cloud

imageLast month I attended HP Discover (disclosure: my participation was funded by Ivy World). The IT war already started however HP stands still not taking initiatives and real risks as true leaders should take. At the three-day conference I learned why some companies don’t last and why this IT giant is at a great risk of losing in this new era IT battle. This is a story of a lasting company that might have already lost.

> > > HP’s Washes the Cloud

Continue reading

ClickSoftware – Great Case of an AWS Cloud Adoption: Part 1, Operations

imageOver the last year I had endless conversations with companies that strive to adopt the cloud – specifically the Amazon cloud. Of those I met, I can say that ClickSoftware is one of the leading traditional ISVs that managed to adopt the cloud. The Amazon cloud is with no doubt the most advanced cloud computing facility, leading the market. In my previous job I was involved in the ClickSoftware cloud initiative, from decision making with regards to Amazon cloud all the way to taking the initial steps to educate and support the company’s different parties in providing an On-Demand SaaS offering.

ClickSoftware provides a comprehensive range of workforce management software solutions designed to help service organizations face head-on the challenges of inefficiency. With maximizing the utilization of your resources is the lifeblood of your service organization and has developed a suite of solutions and services that reach the heart of the problem.

Continue reading

Cloud Security Management – Overview and Challenges

What’s your first priority cloud security concern ?

From an attacker’s perspective, cloud providers aggregate access to many victims’ data into a single point of entry. As the cloud environments become more and more popular, they will increasingly become the focus of attacks. Some organizations think that liability can be outsourced, but no, it cannot! This presentation will answer questions such as what are the key security challenges for new cloud comers. What are the options and how you can start with a safe cloud deployment?

My presentation includes the followings and more:

  • The different Cloud security aspects
  • The cloud vendor versus the cloud customer – the responsibility perception
  • How Newvem helps its customers to avoid AWS cloud security vulnerabilities leveraging eco-system of cloud vendors.

Newvem partnered IGT Cloud meetups and opened a cloud management forum conferences. These conferences focus is on the key aspects of cloud management such as cost, security, compliance and more. Each meetup includes different lectures and include real case studies. All the sessions are recorded and published on a mutual videos channel.

My View on CloudConnect 2012

Last week I attended one of the most popular cloud technology conferences in the world – CloudConnect. The CloudConnect conference started about four years ago. Attending the event gave me a clear understanding of the market maturity and evolution rhythm. Check out the following sections for the main points on what I heard and learned:

>  >  >  >  >  Cloud Performance 

The underlying infrastructure performance, round trip time, bandwidth, caching and rendering are to be counted as the major features of an online service performance. In an interesting presentation by @joeweinman (known by his famous “Cloudonomics” theory), it was claimed that latency holds the greatest weight among these faetures. I encourage you to check out his new research – As Time Goes By: The Law of Cloud Response Time presents some good formulas, methods and considerations with regards to online services’ performance and latency (including simple facts, for example, that people tend to prefer selecting from fewer options on an online page –  so you can have less content on a page and achieve a better browsing performance).

“Multi-tenancy leads to noisy neighbor syndrome” noted @jungledave, Founder and CEO at SolidFire. It is known that the lack of SSD storage components in cloud offerings (mostly due to its high cost) results in uncertainty in cloud storage performance expectations. I invite you to listen to @neovise’s recent podcast with Dave, which discusses solid state disks (SSD) and cloud computing. FYI, Amazon AWS already caught on to the need for fast and robust storage capabilities and deployed DynamoDB on SSDs, which have the benefit of offering predictable performance and greatly reducing latency across the board.

The best presentations are like movies; they should be based on real cases (keep that message in mind, I talk about it more later). One such case is Netflix. Netflix CTO, @adrianco presented methods and principles of scaling data in the cloud including Big Data management, availability, performance security, and more. I suggest checking out his presentation (a cool prezi one), to get the list of vendors and AWS components Netflix uses to optimize its data delivery over the cloud.

It was funny that only the last session’s presentation made by @lmacvittie pointed out the “obvious” first – start from understanding what cause the performance issues and only then try to solve them. I say “obvious” because it is a fact that the appealing ease of provisioning cloud apps and resources leads to the “unknown cloud” symptom (due to the uncontrolled sprawl) that contributes to the uncertainty performance. The “unknown cloud” as an issue found great support in the next day’s morning keynote presentation by @gevaperry, who noted that “a lot has already said about CIOs who don’t know about their own cloud use”. Geva presented a survey that clearly shows that the cloud computing adoption decision in an enterprise is made by the development or business units and not by the IT team – Are you surprised? Read more.

From my deep familiarity with the market, I can confidently add that despite cloud consumers’ recognition of the need to “cut through the fog” of the cloud, proven ways to actually do so are not really available in today’s young market. 

>  >  >  >  >  DevOps doesn’t exist 

I attended the panel “In Search of Mad Cloud Skills” led by the cloud-famous @DavidLinthicum and composed of four IT leaders. David presented some great but simple questions that the participants seemed to struggle to answer. One trivial question – “What do you need to find in the candidate for a DevOp?”  brought discussion around to the obvious need to have someone with development skills who also understands the business needs. The title of the session was aligned with the actual comments of the panel members, saying it is difficult (“Mad”) to find the right skills for their DevOp team.

For me, this session brought an end to the debate of NoOps vs. DevOps. The “DevOps team” is in fact  a development team that plays with virtual blocks in the cloud kindergarten. Integrating the product with the cloud is actually a task for R&D under the auspices of the CTO. That leads to the understanding that the enterprise CIO is actually the new enterprise CTO; if we talk about an ISV, then the CIO holds another position as a senior R&D team leader. NoOps rules and the CIO should look for architects and developers. Learning the building blocks of the cloud and the APIs is one task for the R&D (I remind you: “Research and Development”) team same as learning the overall software offering and the supported business workflows.

>  >  >  >  >  The Openness of Cloud 

Wednesday’s keynote included a panel with Redhat, Citrix and Rackspace, which was moderated by @acroll (a great moderator and presenter) discussing the “Open” perception in the cloud.

The great discussion about the Openness of the cloud actually led to some online #ccevent tweets including the phrase “Open washing”, strengthening the fact that some of the traditional mega vendors are actually “cloud washers” that present the “enterprise cloud” which is in fact an hosted environment supported by a traditional professional service. (You can check out my opinion of HP cloud offerings on a past post.)

“An enlightening panel at #ccevent was the “open cloud” conversation but not for the right reasons. ‘Open washing’ season has started.” tweeted @swardley 

These vendors not only struggle with the fact that Amazon is taking big chunks of their main market but also with the fact that it is hard for them to prove the profitability of real cloud delivery offering based on a real pay-per-use model.

“Citrix: we hate VMware. Red Hat: we hate Microsoft. Rackspace: we hate Amazon”, tweeted @acroll once he got off the stage

Cloud put the need for “Open” on the table. It makes the IT (including the traditional enterprise one) consumers to look for open systems including open source ones. The cloud force IT vendors to prove their low level of lock-in and robust API to enable their customers update and custom the application at a low cost with no touch – check MS Azure marketing messages in regards to their efforts to support open source frameworks (though I am not sure that they really “open”).

Open” is definitely one of the important criteria to decide to go with a solution vendor. The “open” cloud vendor shares its code with the community in order to help others come with better solutions including its own customers. The “open ISV” doesn’t afraid to “lose” its code propriety to competitors and find that being “open” actually increase awareness and positive view of its brand as well as the maturity of its offering.

>  >  >  >  >  “Amazon is Snow White” said @adrianco 

At first I was not sure why Amazon didn’t exhibit at the famous CloudConnect conference but after asking several important people this question, the simple conclusion is that as the strongest market leader Amazon can afford to leave the marketing efforts to the crowd. As the beautiful princess in town you attend only to your own parties and you definitely don’t want to position yourself among the dwarfs.

CloudConnect was really about the major IT market disruption Amazon has been leading for the past few years. In almost every session, the discussion about cloud was actually a discussion about Amazon AWS offering and its design partner – Netflix. Every other offering such as OpenStack, Rackspace cloud and IBM cloud offerings are always being compared with the AWS cloud. The final thought of suggesting they change the name CloudConnect to AWSConnect never entirely left my head (although this might make some of the@Clouderati guys really uncomfortable).

Q: What did the CloudConnect miss?  A: Real Case Studies 

I noted above that great movies are based on real stories, same here. I wasn’t in all the sessions but being a dedicated follower of #ccevent and listening carefully to some of the leading thinkers in the industry, I think that most of the sessions were still on more theoretic levels rather than practical ones. You are welcome to check these conference presentations. 

It is not surprising that the best sessions were those presented by organizations that already found their way to the cloud, whether fully public (Netflix), or mostly private (Zynga zCloud). I suggest you to find Zynga’s CTO Infrastructure lecture in the conference recorded videos list.

Personally, I think it would have been great if they had a greater number of sessions and stories based on actual cloud architectures, shifting legacy applications to the cloud, and actual stories of ROI optimization. The market is still totally immature and on shaky ground. Vendors don’t really know how to present their offerings and even the simple phrase “cloud cost” have several interpretations. ISVs and enterprises are misled by the mega vendors – this is one of the major factors that slow down cloud adoption pace. If six months ago I would have said 2-3 years to reach market saturation, CloudConnect made be more realistic and think more about 3-5 years.

CloudConnect was a great opportunity for me to meet all the cloud rockstars I had been twittering with over the last year – great cloud evangelists. Someone said that he felt like walking through the twitter home feed. I found the cloud in twitter – great performance, mobile, open and available. It proves cloud serves my actual needs for networking, communications and knowledge.



The IaaS Management Market: Evolution, Vendors and More

A lot has already been said about the false cloud use where the IaaS platform utilized as an hosting extension of the IT organization’s data center and not taking advantage of the elasticity benefits to generate a cost effective and scalable IT operation. Using the public IaaS whether it is Amazon, Rackspace or any other vendor means using a highly dynamic environment which presents an increasing complexity hence loss of control. Checking the list below I can say that cloud (including all its layers IaaS, PaaS and SaaS) control basically contains the same aspects as the good old system management.

What is “System management” ?

“refers to enterprise-wide administration of distributed systems including (and commonly in practice) computer systems.”

“System management may involve one or more of the following tasks:

  • Hardware inventories
  • Server availability monitoring and metrics
  • Software inventory and installation
  • Anti-virus and anti-malware management
  • User’s activities monitoring
  • Capacity monitoring
  • Security management
  • Storage management
  • Network capacity and utilization monitoring”

Read More on Wikipedia

Continue reading

Clouds of Change: MTBC Cloud Conference and 2011 Outlook

Posted by Nir Peled

Last Friday, I attended  MTBC (Metroplex Technology Business Council) Solutions in the Cloud” conference in Dalla, Texas.The main event at the conference was a prestigious panel composed of three IT leaders: Brian Bonner, CIO of Texas Instruments, Toby Pennycuff, CTO of J.C. Penney Company and the panel moderator, Robert Wiseman, CTO of Sabre. 

The panelists shared their thoughts and expertise with more than 300 professionals and academic leaders regarding cloud’s most fundamental questions. This event gave us a chance to hear directly from the decision makers regarding moving into the cloud, how they feel about this new innovative approach, what worries them and their predictions regarding organizations going into the cloud.

The panel was unanimous in their approval of what we all suspected was the main concern of large organizations (when considering going into the cloud), cloud security assurance.

“Providers must have a proven security approach. For us, the cloud provider would have to prove the security of our data before even offering its services to us. This is vital”  said Pennycuff.

“What is the exit strategy? What happens to the data after the lease term is over? How do we get it back and how do we know that it is still secure?” asked Bonner.

Bonner was also concerned regarding migration into the cloud of large traditional organizations like the one he comes from. These types of organizations have some old systems. In most of the cases those enterprises would have multiple layers of systems which were added over the years as the technology evolved. In Bonner’s opinion, the cloud migration would and should be systematic and gradual. The new cloud components must support and communicate with the old/current systems. conducted a survey in the second quarter of 2011 to determine cloud computing usage trends among IT professionals who participate in the BitNami, and Zenoss open source software and user communities. The final results, presented in “2011 Cloud Computing Outlook” document, include a lot of information on cloud adoption including motivations, barriers and trends. The following chart present important findings on one of the today’s common “cloud adoption” question –

> > >    At what stage are your plans for cloud computing in 2011?

The panel and the survey, both discuss the Cost as the most common motivation to move to the cloud and the Security as the most common challenge.

> > >   What benefits do you believe cloud computing provides to your organization ?

In the large organizations the cloud would need to come up with significant advantages (in terms of cost efficiency) in order to convince migrating from the known, functioning IT (referred to as the “old” approach) to the “new” cloud IT. What matters to organizations is functionality together with speed and above all is security. Security must be trusted in the “old fashioned” approach.

Learn about cloud security basics:  The Cloud Security Part 1: For Dummies

If there are a large number of users how would you control and maintain security? In addition, how would you secure the resources used in a virtual system?

Those interesting questions were asked by a PhD from the Texas academic world which is responsible for $5 million research project for the US Air Force. In response to those questions, the panel agreed that while no major attacks have occurred, we should still use several layers of security. All security mechanisms (such as several ID & password combinations timeouts, identity verification etc…) should all be implemented in the cloud security solution. Using a trusted virtual OS in addition to closely monitoring the US military’s network could assist in preventing attacks. They also mentioned that the concept of asking for a `contract for damages` from the cloud providers scares them and limits their services.

Cloud security is still caught as one of the leading adoption barriers, but it is interesting to see that it is not the first according to 2011 outlook report.

> > >   Are there any factors inhibiting your adoption of cloud computing?

Check the following results for the question – 

> > >   What is your biggest challenge with regards to managing your cloud computing environment? 

Can we say that there is a mind shift ? Does security factor changes from adoption barrier to become a challenge while the decision to move to the cloud already made? 

Another very interesting and important subject was brought up during the panel discussion – Privacy and Regulation in a global cloud environment. Every country and, in some cases, every state has its own regulations and utilizes different approaches toward privacy and ownership rights for data, patents, processing of information in its registration, etc.  This issue presents the world with regulatory challenges. If the data is in the cloud, and the cloud can be everywhere (sometimes in several international locations simultaneously) how would the providers protect the data while also guaranteeing their clients’ rights? Where the data being kept and where/how is it being used?

100 years ago, everyone had to drill for water. Today, everyone drilling for water makes no sense. Same for IT, if cloud would be possible and the obvious way for IT, we would be able to concentrate on our core business. No doubt, there is a place for cloud in IT for some companies. The hardest part is finding out whom to trust (which is common when doing any sort of outsourcing).

The final words were shared by all the panel speakers. They agreed on the fact that the world is going towards cloud for platform, infrastructure and services. There are many challenges to confront and issues to deal with primarily regarding security. Today companies and organizations are looking into moving to the cloud and building and/or modifying their current business modules of the last 20+ years.

“Before going into cloud remember to educate yourself, understand the offer, pay attention to security and have a good “exit” strategy.” Pennycuff’s words of wisdom.

“Take it slow, go step by step and in small groups.“ Bonner added

An interesting comment from a participant received unanimous approval from the audience. It was mentioned that cloud provides a good business opportunity for small and new companies.  Cloud services benefit from the fact that their own architecture is not grounded in the old methods of operating, and has not yet suffered from “spaghetti” code infrustructures. 

Check out the following diagram presenting the survey report in a real creative way:

The author of this article is Nir Peled, a reporter and a contributor `I Am OnDemand` .

Nir Peled

The Cloud Security Part 2: Market Perceptions, Vendors and More

This year, April study conducted by independent research firm Ponemon Institute and sponsored by CA Technologies, surveyed 103 cloud service providers in the U.S. and 24 in Europe representing a mix of cloud service and deployment models. 70% said they allocate 10% or less of IT resources to security and control-related activity.

Who is most responsible for ensuring the security of the cloud resources ?

“Right now, organizations are focused on moving their least sensitive data and applications to the cloud for cost savings and rapid deployment, leading to cloud providers not making security a priority” Matthew Gardiner, director in the security business unit at CA

The chart above shows the different perceptions about who is responsible for security in the cloud. According to this chart, both 32% of cloud users and cloud providers believe the cloud provider is most responsible for ensuring the security of cloud services. In sharp contrast, 69% of IaaS providers see the cloud users as most responsible for security, while only 35% of users believe they are most responsible for ensuring security.

These different perceptions between cloud providers and cloud users about who is responsible for securing the cloud means organizations may be over relying on their cloud vendors to ensure safe cloud computing. Despite the risks to data in the cloud, it is interesting that providers do not consider the security of cloud services as a competitive advantage. 

“… more than 33% of the respondents were not very confident that their data was going to be protected and isolated in the cloud. It’s also the cloud technologies. They hear about private clouds and community clouds. And, again, more than 70 percent of the respondents were either not confident or really didn’t understand how they could get sensitive data controlled in a private cloud.” Tom FieldInterview of Russel Dietz, CTO of SafeNet

No doubt that the IT industry understands those risks pretty well and recognizes them as the major obstacles of the cloud’s future. The recognition of the security issues brought the establishment of the Cloud Security Alliance (CSA), a non-profit organization formed to promote the use of best practices for providing security assurance within Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is actually a consortium that was established at 2008 by the major IT companies including the Cloud providers that want to protect their business interests. The CSA’s board includes members from IBM, Rackspace, EBay, Accenturem, Trend Micro, Lockheed Martin, Google, Zynga and more other.

“The Cloud Security Alliance (CSA) will partner with ISO to develop key standards for cloud security. Organizations dependent on cloud services and the security executives charged with their safety will soon be able to measure cloud-based security controls using the same tools and measures currently used in traditional control structures,” says Marlin Pohlman, CSA’s global strategy director. Read more

Pohlman also compares the cloud security evolution with the development of railroad standards in Europe in the 19th century.

“Countries realized eventually that having a joint infrastructure was in everybody’s best interests.” Read More

Together with the Ponemon’s findings, there strong positive winds from the side of the US federal government. Federal IT managers indicate that cloud computing will become a core component of government IT in next five years, according to the December 2010 survey

The Federal agencies recognize the security issues and are pushing to deal with them including establishment of the Federal Risk and Authorization Management Program (FedRAMP). The FedRAMP allows joint authorizations and continuous security monitoring services for Government and Commercial cloud computing systems intended for multi-agency use. The use of this common security risk model provides a consistent baseline for Cloud based technologies and ensures that the benefits of cloud-based technologies are effectively integrated across a variety of cloud computing solutions. The risk model will enable the government to “approve once, and use often” by ensuring multiple agencies gain the benefit and insight of the FedRAMP’s Authorization and access to service provider’s authorization packages. 

——————————————————- Cloud Security Vendors 

The cloud security vendors are scattered across the different layers of the On-Demand industry, from support of the IaaS vendors to monitoring and securing of a SaaS application and data. The evolution of the security industry somehow aligned with the evolution of the IT hosting industry from a dedicated in-house environment all the way to the cloud era. In The Cloud Security part 1 I list the security benefits and drawbacks that comes with shifting to the cloud, summarizing those I can say that the concentration and the uniformity that comes with the public clouds will create new and complicated threats, hence development of more regulations and better security standards that will keep the security companies imperative even more than in the past.

The Cloud Security Vendors’  Evolution

Protection in the Cloud services include Web Filtering, Managed firewall, vulnerability scanning, authentication, managed VPN, intrusion detection, Web security and hosted e-mail security. On March this year the Magazine listed the 20 top cloud security vendors, those provide services to secure data flow from and to the cloud including IaaS platform security, policy management and web filtering. From examination of those and other, you will find security vendors from all sizes, from the old, known and experienced huge IT companies such as IBMCA and VMware (vCloud Security), to the midsize vendors such as SymantecWhiteHatProofPointPanda SecurityM86 SecurityApprRiverBarracuda Network and more.

I consider myself as a `SaaS groupie` and due to that I searched and come the following short list of promising evolving fresh vendors with “pure SaaS” products that include a self-provisioning option. Those provide security tools mainly on the public clouds and I strongly suggest to try them as those products demonstrate the strong value of SaaS that slowly but surely penetrates the traditional IT security industry –

CloudPassage –  came out of the gate with products to manage cloud security and defend cloud servers. The Halo SVM and Halo Firewall perform server exposure assessments, monitor configuration compliance and provide network access control to secure public and hybrid cloud servers.

Duo Security –   offers Authentication-as-a- Service with its two-factor authentication offering designed to thwart account and data breaches and theft. Using a mobile device for its second factor, Duo leverages the cloud for an extra line of defense and does so seamlessly

Porticor –  provides security and encryption for data in the Cloud. With no code changes, up and running within minutes. Simply login to their website and select the relevant options. It seems that currently they focus on supporting Amazon AWS cloud.

Dome9 – The concept is based on the securing a single atomic unit of the cloud. I found the approach interesting and folowing my discussion with Roy Feintuch, the company CTO and Co Founder, we can expect the beta version to be launch in the next few days. Follow me by twitter and I will be happy to update you.

——————————————————- Summary

There are ISVs and IT organizations that tend to think of a private cloud as better secure. There is a difference between private and public clouds which remembers me at the time when it was forbidden to use the Internet because of security reasons. As of today everybody laughs at it. As I noted several times in the blog I hold the opinion that it is just a matter of time and eventually public cloud will be the standard including a better security due to control and implementation of the better standards and more strict regulations.

One of the main Amazon outage lessons was that the companies who use the public cloud should expect disasters including downtime and I would have use the same approach here as well and say that a security disaster will happen. ISVs specifically and other cloud customers need to study the public cloud strengths and weaknesses and make sure to protect the application and the data from a potential security breaches. The liability of the ISV to its customers can’t be outsourced.