Posts Tagged ‘IT operations’
Cloud Alignment – Part III (Security)
The purpose of this post is to address the issue of the security of cloud based applications from the perspective of the CIO of a midsize company. His focus would be primarily on prudent cost reduction opportunities. I will not attempt to provide an in depth technical discussion here. I will provide some useful links to such discussions. However, I don’t think a midmarket CIO, or CXO, would be well served by loosing himself in the technical details at this point. It’s all evolving too fast.
As I researched this topic I was initially amazed at the amount of information. After I thought about it for awhile I realized that this was a hot and rapidly evolving topic, so this volume of information is to be expected (and I’m contributing to it myself with this blog post). My research has been fairly extensive but not exhaustive. I could have easily made this a white paper taking months. It will also be dated fairly quickly. Like I said, this subject is changing quickly.
The first item of business is a definition of some useful terms. I will standardize on the definitions provided by NIST (National Institute of Standards and Technology). The link to those definitions is here and a link to a cloud computing overview is here. I like the NIST definition: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” The other document at this site is a 92 page PowerPoint presentation. I think it is useful but lacks sufficient material in the speaker’s notes.
I am a big fan of Gartner’s Hype Cycle diagrams. Over the years I have found them to be a good way of representing the expectations we have of technology. I have included an overview below. A link to the Gartner site is here.
Every technology category is typically represented by a point on the curve. That point is color coded to indicate how fast it is moving through the cycle. If you want more details on this I encourage you to go to their site and sign up for their free registration. In Figure 1 I overlaid a red line on that section of the curve where I believe cloud computing is today based on Gartner’s predictions as well as other sources. We are clearly at or near a peak of enthusiasm and expectations for a new technology.
Figure 1 – Cloud computing expectations
One concern that I have is that when I have talked to people in midsize or small companies making a decision on how to use cloud computing all I hear about is the opportunity for cost reduction. That opportunity is real but the decision is not just about cost reduction. It’s also about risk exposure and that means security concerns. One document that details those risks is from ENISA (European Network and Information Security Agency). Its link is here. Be warned, this document is not for the faint of heart. It is large and detailed but does offer a comprehensive list of risks. Another less detailed source of cloud security insight is provided in an InfoWorld article on a Gartner report. Its link is here.
One thing to remember is that using cloud computing usually means virtualized applications made available over the internet. A useful but detailed discussion of virtualization can be found here. There are several types of virtualization risks such as attacks on the hypervisor, attacks on automated provisioning and problems in digital forensics due to mobile locations of virtual machines. Detailing each of these examples generate a significant amount of information and is beyond the scope of this post.
We should also briefly touch on the major players providing cloud based infrastructure and development environments. The three big names in these areas are the Google App Engine, the Amazon Elastic Compute Cloud (EC2) and Microsoft’s new Azure Platform. For these offerings, you rely on either secure data center operation or the security capabilities of their development tools. Cloud computing is new to most developers as well. Their skills in using these tools are still maturing, including security.
It would be easy to discuss various risks almost indefinitely. However, that wouldn’t address the main concern of making an informed decision on what to do with cloud computing now. As you can see from Figure 1, I placed a red line over the region of the curve which represents the earliest time for mainstream adoption. The period between where cloud computing is today and mainstream adoption starts is a time for trying out this technology. I recommend a trial that doesn’t involve sensitive company data but is non-trivial. Such a trial will provide insight into the management of cloud based infrastructure, applications and working with cloud vendors. It will provide an opportunity to gain experience in relative safety.
For example, I am part of the Google Wave beta program. If interested, check out this link or the Google site. In addition to that, I am working with Itensil on a new product which leverages Google Wave with its other existing products for collaborative, wiki-based consulting project work. For me it’s a great opportunity to learn more about using cloud computing to do something relevant for my business. That work could eventually lead to a significant competitive differentiator. For a business IT alignment consultant, it’s putting my money where my mouth is and aligning some cloud IT to my own business.
For a blog post, this one is long. As a discussion of the security of cloud based computing, it just scratches the surface. The recession has accelerated the adoption of cloud computing and the recovery will accelerate its adoption further. Midsize and smaller companies will be most of the early adopters of cloud technology along with a few large corporations. Security concerns will be the throttle that regulates the speed of adoption. As cloud security is resolved I think we are in for some very transformational times.
Thanks for stopping by and stay tuned for more…
Cloud Alignment – Part I
This is the first of a series of posts on cloud computing. This is a hot topic in the technology world yet it is also the source of much confusion. Before I start talking about cloud computing, I should provide you with my practical definition. My perspective is that of someone responsible for both IT and business operations within a larger “midsize” company. I don’t care about technology for technology’s sake but only for what it can do for my business. Given all of that my definition is:
“Cloud computing refers to beneficial software functionality delivered as services via the Internet. Those services reduce the demands on the company’s IT infrastructure, other than the capacity of the connection to the Internet.”
Its only value is to give me access to capabilities I didn’t have before for a price I can afford and/or to lower the costs of services already provided to my customers. The Wikipedia definition is provided here. There is much more material there but I believe it’s consistent with my definition above.
I also separate the cloud into two parts. There is that part of the cloud that provides my connection to a hosted application. It is composed of various routers, gateways and backbones but it basically my highway to the application. I’ll refer to that generically as the “pipe”. The other part is the hosting environment itself. It contains the application and data storage. I’ll refer to that environment generically as the “host”. This distinction will be important throughout the subsequent parts of this series.
My current plan for the series is:
Part I – Introduction and definitions (this part)
Part II – Cloud performance
Part III – Cloud security
Part IV – Cloud privacy (legal issues)
Part V – Conclusion
There is no shortage of material on cloud computing on the Internet and it’s not hard to find. Try not to get caught up in the hype. It’s easy to do. Remember, cloud computing in some form and by some name will be important to all of us in the future. It will be part of your business and IT strategic plan in the not too distant future. Stay tuned for more…
Cloud Alignment – Part II (Overall Performance)
This is part II of my series on some of the practical aspects of cloud computing. In this post I’ll focus on the overall user-centric performance of the cloud computing experience. I’m using this vague phrase because the performance of the user experience is made up of several factors, like Internet congestion, “last mile” bottlenecks, hosting server performance and user PC performance, to name a few. Let’s start by defining some general classes of users.
User Types
The most basic classes of users are those that do all their work in one place with dedicated infrastructure (fixed users) and those users who may do their work from multiple locations, both connected to the Internet and not connected (mobile users). Examples of fixed users are customer service workers, corporate staff jobs like clerical accounting workers, etc. They go to work at the same place every day, sit in front of the same PC doing the same kind of work and then go home at the end of the day and leave their job behind. I hear there are still some of them around these days. Examples of mobile workers are everybody else with a job and a computer. Now we need to focus on the types of data traffic involved.
Data Traffic
Any basic graphic of the use of the cloud consists of a user with a PC, a cloud containing a server and a lightning bolt connecting the two, as shown below. The firewall (brick wall symbol) can either be on the local network or in the user’s machine itself.
I am presenting two scenarios to consider. Scenario 1 is the least demanding on the user end and represents the slowest, lowest cost option. It is the scenario usually implied when we talk about cloud computing. It does require that the overhead of the user interface is moved down to the user’s machine along with the data itself. Scenario 2 is actually representative of a user application which relies on an external host to provide compute power and push data down to the user’s machine. It is the faster but more expensive option. It doesn’t require that the user interface overhead be sent down along with the data since the user interface is already on the user’s machine. Remember, the yellow lightning bolt (the remote connection) is the limiting link in the chain. It is by far the slowest segment of the trip. Now we need to consider the tradeoff between the two scenarios for each user type.
Tradeoff – Productivity vs. Cost vs. Performance
For the fixed user, scenario 1 will probably work well enough to justify the cost savings at the expense of performance. Our definition for this type of user is primarily clerical in nature. However, as we move to the mobile user, things get a little more complicated. The speed of the remote connection link will vary depending on the location of the user. In some cases, the remote connection will be slow or non-existent. If the remote connection is slow the user interface overhead will make a cloud application unacceptably slow. Obviously, if the connection is dropped or not available the point is mute, there is no cloud. There is a subset of the fixed user community that has other issues. There are those who are fixed in their location but are creative types who need the flexibility and richness of local applications. Examples of these people are graphic artists, designers, architects, engineers, etc. For them, browsers are not yet a visually rich or powerful enough user interface for their work. In time, that will change but not now.
The solution for mobile and creative types may lay with composite applications, mashups and hybrid clouds. The discussion of these options is beyond the scope of this post, but check out the links for more information. My main point is that cloud computing is not one size fits all. It’s important to not get caught up in the hype and realize that, with some adaptation, the benefits of cloud computing and acceptable levels of performance are available for all users.
I have provided some video links below that present a somewhat cynical view of cloud computing. While I think that Larry Ellison (Oracle CEO) represents an oversimplified view, he is entertaining. The Forrester analyst offers a thoughtful counterpoint.
onclick="javascript:pageTracker._trackPageview('/outbound/article/www.youtube.com');">Larry Ellison on Cloud Computing " onclick="javascript:pageTracker._trackPageview('/outbound/article/www.youtube.com');">Forrester Research