Welcome to the World of Avatars

Virtual Worlds

Subscribe to Virtual Worlds: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Virtual Worlds: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Virtual Worlds Authors: Kevin Benedict, AppDynamics Blog, David Dodd, Pat Romanski, Corey Roth

Related Topics: Cloud Computing, Virtualization Magazine, Cloudonomics Journal, Sun Developer Journal, Datacenter Automation, Java Developer Magazine, Cloud Expo on Ulitzer, Virtualization Expo, Open Source Journal, Virtual Worlds, CIO/CTO Update, Sarbanes Oxley on Ulitzer

Blog Feed Post

Cloud Computing and Virtualization Expo Show Report

I recently attended Cloud Computing and Virtualization Conference & Expo 2009 in Silicon Valley

Virtualization at Cloud Expo

I remember back-in-the-day when Virtual meant ‘almost,’ ‘simulated’ or ‘in essence’ as in, ‘I’m virtually there.’  Today, as it has made it’s way into computer terminology, it can mean actual or real things that are done over computers. Virtualization has been the main enabler of Cloud Computing and has become an important tool for IT.

I recently attended the 2009 Cloud Computing and Virtualization Conference & Expo in Silicon Valley and wanted to share some of my observations.

The show has certainly grown from last year but still a nice small(er) conference with a lot of opportunity for good conversations.

Cloud ‘solutions’ seemed to dominate the talks even though there is still a lot of confusion about the Cloud with a good portion of participants appearing to be in the investigative/learning stage. Many of the attendees were still just trying to understand the whole ‘cloud’ terminology and I felt like one of the most informed – which means there is still plenty of opportunity to educate folks.

Security was a big topic as you can imagine but this year it seemed like the presentations were focused on solving those fears instead of just lx

One of the sessions I enjoyed was ‘Cloud Security – It’s Nothing New; It Changes Everything!’ (pdf) from Glenn Brunette, a Distinguished Engineer and Chief Security Architect at Sun Microsystems. He first reviewed the hallmarks of information security: CIA, the Guiding Principals, Managing Risk and so forth and indicated that the Cloud doesn’t change any of that – there’s no difference in what drives security or the concepts, it’s the Implementation that is different.  So if the overall Security Services are the same, and if the traits are the same – what’s missing?  According to Glenn, the thing that Cloud Computing Security demands is: CONTEXT.

He reviewed some of the challenges facing Cloud Security:

Speed – the agility to quickly configure services. Security is usually the last part of the architecture but how do you secure services and enforce them when units are getting spun up/down at a rapid pace. It’s an opportunity to re-think. One thing Sun (and others) are starting to do is bake security best practices right into the image before sending it to the cloud. Why make the customer deal with securing the underlying system when the provider can build the needed security right into the image. Pre-integration and assembly allows the customer to still deploy quickly but securely.

Scale – Today Security administrators deal with 10s, 100s, even 1000s of servers but what happens when potentially tens of thousands of VMs get spun up and they are not the same as they were an hour ago. Security assessments like Tripwire, while work, inject load and what if those servers are only up for 30 minutes?  How can you be sure what was up and offering content was secure?  One idea he offered was to have servers only live for 30 minutes then drop it and replace. If someone did compromise the unit, they’d only have a few moments to do anything and then it’s wiped.  You can keep the logs but just replace the instance.  Or, use an Open Source equivalent every other time you load, so crooks can’t get a good feel for baseline system.

Assessability – anyone with a credit card can now deploy cloud services. Maybe someone feels IT is too slow in deploying a particular service and decides to do it themselves.  They now have substantial resources available and not a lot of knowledge of current policies. How can you be sure that the policies are enforced across the board on all deployments.

Transparency – Customer’s need a comfort level to know how the data is kept safe, how keys are managed, how do they constrain a problem in the cloud – essentially understanding the provider’s standards and processes.  There are more IT elements, more change events, more data and less control – that’s the fear.  The cloud makes these challenges more visible.

Consistency & Integrity – knowing the exact configuration of any machine at any time.

Key Management – this is a huge problem with providers. Doing a backup to the cloud (while keeping the keys close) is OK but if you intend to use that data then the keys also need to be stored in the cloud. Being able to do a fast recover can also require keys out there. Additional legal verbiage is what typically covers key management today.

Accountability – Service Level Agreements. SLA are not so strong on the provider end and customers often need to negotiate this area.

Compliance – auditors.

There are changing architectural strategies in the cloud. Tight Integration becomes Dynamic Assembly; Inspections become Telemetry of Objects; Repair & Recover turns to Recognize & Restart; and Log Scraping becomes Analytics. You just need to change some of the old habits. Opportunities exist for standardization but in the meantime, get to a manageable set of things that need to be done and build upon the automation. Glenn closed with his Cloud Security Rules:

  • Embrace Security Systematically
  • Design for High Survivability (fight thru)
  • Compartmentalize failure (nodes going down)
  • Minimize Trust Boundaries (how far does the data go)

Good advice.

ps

Related Resources

More Stories By Peter Silva

Peter is an F5 evangelist for security, IoT, mobile and core. His background in theatre brings the slightly theatrical and fairly technical together to cover training, writing, speaking, along with overall product evangelism for F5. He's also produced over 350 videos and recorded over 50 audio whitepapers. After working in Professional Theatre for 10 years, Peter decided to change careers. Starting out with a small VAR selling Netopia routers and the Instant Internet box, he soon became one of the first six Internet Specialists for AT&T managing customers on the original ATT WorldNet network.

Now having his Telco background he moved to Verio to focus on access, IP security along with web hosting. After losing a deal to Exodus Communications (now Savvis) for technical reasons, the customer still wanted Peter as their local SE contact so Exodus made him an offer he couldn’t refuse. As only the third person hired in the Midwest, he helped Exodus grow from an executive suite to two enormous datacenters in the Chicago land area working with such customers as Ticketmaster, Rolling Stone, uBid, Orbitz, Best Buy and others.

Writer, speaker and Video Host, he's also been in such plays as The Glass Menagerie, All’s Well That Ends Well, Cinderella and others.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.