More blog posts in Cloud Builder ForumWhere is this place located?

Cloud Builder Forum

11 Posts authored by: Billy Cox
Billy Cox

The new "Outsourced CIO"

Posted by Billy Cox Oct 5, 2011

This post originally apeared as an Industry Perspective on Cloud Computing on Data Center Knowledge.

 

 

I had a chance this week to speak with the CEOs of a number of small companies. One of the things that really jumped out at me is how hard it is for these small companies to get a “CIO”. Of course, they could hire they person but most are not large enough to justify a full time CIO. But what really came out to me, is that, thanks to cloud, the role of this “outsourced CIO” for these companies has a different meaning than even just a few years back.

 

1. The “outsourced CIO”, being the face of an IT organization, is tasked with creating value through IT. We (Intel) built a CIO white paper that makes this point: IT is a part of the value creation machine (not a cost center). For the small or medium business, this means that whoever is acting as the CIO for the small company has to really help drive their partners business, not just run their IT. For the myriad of resellers and SIs that act as ‘outsourced’ IT for small and medium businesses, this is a fundamentally different view of their role – assuming they aspire to be their partners “outsourced CIO”.

 

I would argue that cloud has not only made this kind of role practical but it has made the need for this role essential. It is practical since the “outsourced CIO” is far more likely to understand the options and nuances of selecting services for the business than the business itself would be. It is essential since the small or medium business can not afford to spend time or money learning IT (after all, they do have a business to run).

 

2. Outsourcing has been around for a long time. But until salesforce.com made the SaaS model practical and popular for all businesses, the concept of outsourcing a specialized function was a rare business model. Now, with cloud, we have a multitude of specialized functions to select from, all of which are delivered as a SaaS meaning that no hw is purchased and in some cases may not even require a contract.

 

For the “outsourced CIO”, this means a LOT more partners and a lot more interpretation of the business requirements in that ocean of options.

 

For example, it means that the security requirements of the small or medium business need to be very well understood. In a traditional enterprise model where everything was hosted ‘behind the corporate firewall’, it was easy (“just buy more servers”). However, in the cloud or SaaS model, we have to actually evaluate the security requirements of an offering and make a judgment as to the suitability. Alas, the days of “just buy more servers” are long gone.

 

If you are the CEO of a small or medium business: Who is your CIO?

If you find yourself in the role of “outsourced CIO”: Are you acting like a CIO, or just the manager of IT?

When it comes to protecting the security of your assets in a cloud environment, the core questions are: What do I need to know and what do I need to do?

                                                                                        

These are questions I, together with Brian Foster from McAfee, will address in an upcoming session—“Do I need a private cloud?”—at the McAfee FOCUS Security Conference, taking place Oct. 18-20 in Las Vegas. While we can’t explore these questions in depth in this post, we can at least get started down the path.

 

Before we start though, we need to have a clear picture of the “asset” we are securing. If your company produces highly specialized, high value products, then the asset has high value and demands greater protection. If your company produces open source software, then perhaps a lesser degree of protection would suffice. With this in mind, consider the following:

 

1. Understand the services you are consuming and the associated risks.

Many organizations don’t have a clear view of the cloud services they are consuming and the risks those services pose to the organization. Let’s take a simple example: Are you using Gmail or hosted Microsoft Exchange for your company’s email? While both email services are reasonably secure, Exchange is generally considered to be more appropriate for corporate environments.

 

Once you have a clear picture of the asset, you will then need to make certain that the security of the services is appropriate.

 

2. Provide the proper security training for all employees.

Your own people are one of the keys to overall security, and one of the risks. If, for example, a single employee opens a malicious attachment on an email message, you could end up with a significant breach in security.

 

This reality points to the need for ongoing security training and awareness efforts. When it comes to the security of your systems, applications, and data, all employees are on the front lines.

 

3. Build a secure infrastructure.

Cloud security is a multi-layered problem that requires multiple layers of security at both the client and the data center level. Some of these layers overlap, such as network firewalls and intrusion prevention systems that help protect both client and server systems.

 

At the client level, you want to take all the usual steps, such as requiring all client systems to run anti-malware software that automatically updates itself on a regular basis and is optimized for the client to minimize system performance impact.

 

At the data center level, you need to put trusted compute pools in place to create a security foundation. This hardware-level security is enabled by technologies such as Intel® Trusted Execution Technology (Intel® TXT), which protects IT infrastructure against software-based attacks. It does this by checking the consistency in behaviors and launch-time configurations against a “known good” sequence.

 

Complement this launch-time security with a well coordinated approach to security across your network, servers, data, and storage that helps you identify and stop attacks in real time. By connecting policies and controls across physical, virtual, and cloud infrastructures, your data center team can enable secure, elastic, on-demand services without compromising on compliance or jeopardizing availability.

 

While they may seem obvious, these simple steps are extremely important. If you haven’t fully covered them, you’ve got holes in your cloud security strategy.

 

We’ll talk more on this at the data center track session on Oct. 20 at 2:30 p.m. at the FOCUS event. In the meantime, push forward with your security efforts.

1. OSPC for OpenStack

 

We demonstrated OpenStack with Intel ® TXT and Node Manager integration along with an Intel IT developed user interface and portal. We ultimately offer the user interface and portal to the OpenStack Dashboard project.

 

The momentum behind OpenStack is growing with more and more contributors and end customer interest. The commercial cloud operating environments continue to increase in capability as VMware demonstrated 2 weeks ago at VMworld (very impressive). The open source communities continue to grow their capabilities as well, not just in Xen and KVM, but also in cloud operating environments such as OpenStack. We look forward to working with the community to significantly extend and mature the OpenStack capabilities.

 

In the context of the larger Intel Developer Forum, Matt Weinberger from Talking Cloud captured it quite well in his blog on IDF and Cloud Computing on Thursday by noting that much of the focus at IDF was on consumer innovations (some of which are really cool) with little attention being paid to the cloud. In my meetings with customers and partners, it is clear, however, that our efforts in advancing the state of the art in cloud are not going unnoticed, regardless of the broader marketing message.

 

This is my second OpenStack related activity in a bit over a week. Last week I was in China helping kickoff the China OpenStack User Group where over 350 people attended the conference. It is really exciting to see so much energy being applied from such a diverse audience.

 

2. Memcached performance optimizations

 

In Justin’s keynote (where I had the pleasure of a short walk-on part <grin>), we demonstrated an optimized version of memcached delivering ~800k reads/sec compared to the previous published rate of ~560k reads/sec. Latency also decreased from ~1ms to ~450us. While the transaction rate increased significantly, the power per transaction is also improved.

 

One of the tricks in this optimization was to stay “real world”. It is easy to get really big numbers if you create a lot of independent instances of memcached on a single server. For real world applications, this is not an optimal solution, as it means that application would need to be modified to direct requests to many memcached services rather than just one.   Our optimization maintains a clear focus on performance, but for real-world applications.

 

From where I sit, this is further evidence that the cloud will drive innovation not just in new areas such as Hadoop and memcached, but also in optimizations that will improve our everyday experience using the cloud.

 

3. Solution Provider Innovation

 

I had a number of meetings with Solution Providers this week. There is clearly a transition happening from ‘hw focused’ to a broader base of consulting including things like connecting their customers to service providers. Any transition is challenging especially when it touches the basic business model. In this case, we are also seeing examples of innovation where these solution providers are being proactive in helping their customers effectively and materially use the cloud.

 

For example, I pleased and somewhat surprised to hear that some of the solution providers are pro-actively refactoring some of their applications so that they can be more cleanly deployed in a cloud (private and public). They are eager to take advantage of the benefits this compute/storage model offers.

 

However, it is also clear that the impact of the move to more of a ‘devops’ model is still very early and not well understood.

 

4. Keynote == beret

 

We all learned from Justin that if you want to do a keynote at IDF, you need a beret. I recon my cowboy hat will just have to do.

 

5. Solar power CPU’s

 

The era of solar power computing may be upon us. With the use of Near Threshold Voltage designs, we can get the power level so low, you only need a solar cell. Ok, maybe it was only a technology demonstration but it works for me!

By now you’ve heard from a LOT of us on building a cloud. You have probably heard us talk about performance, efficiency, and trust. But have you ever seen it done? If not, you should take a look at this new video: Intel® Cloud Builders Reference Architecture VMware vCloud™ Director Demo.

 

In this how-to video, our Cloud Builders team built a mini data center and then deployed an actual cloud environment within it.

 

While the host of the demo is an animated character, the configuration example is entirely real. Using actual screen captures and configuration samples, this video walks you thought the process of creating a cloud based on VMware vSphere™, VMware vCloud Director™, VMware vShield™ manager, and Intel® Xeon® processor-based hardware.

 

Featured hardware components include:

  • 4 Urbanna 2U 3.5 HDD Xeon DP Servers with CPU: Xeon DP Nehalem-EP X5570 FC-LG8 2.93 GHz
  • 1 Timber Creek 2U Xeon DP Storage Server with CPU: Xeon DP Westmere-EP X5680 FC-LGA8 3.33GHz

 

Along the way, we captured lots of technical tips and tricks that you’ll find useful if you put our reference architecture into action—as we did in the video. Even if you’re just thinking about deploying a cloud, this video will provide valuable insights into the configuration process.

 

So, what’s your excuse now?

Billy Cox

Usage Models and Technology

Posted by Billy Cox Jun 17, 2011

As engineers we are fascinated by technology and can ramble and gesticulate for hours on end. But, unless we are buying the drinks, our poor IT customer just gets lost. In reality, the IT customer is having to map the technology discussion onto the problems they are facing as a business - something that is really hard.

 

That's why, when the Open Data Center Alliance (ODCA) announced their Usage Model Roadmap, we (technologists) should take notice. As I wrote in an article in Data Center Knowledge, when a bunch of users get together and tell us what they want, and in a form that we can digest, that is big news.

 

The ODCA usage models are an interesting list and touch on things I hear everyday from customers. Things like VM Interoperability allowing for true interoperability across hypervisors. Or, Carbon Footprint looking at the power required for a workload and mapping it back to the specific source of power. Or, IO Control requiring specific policy based bandwidth controls on a per VM basis.

 

Seems like the shoe might be on the other foot now: us technologists now have to map these user pain points back to the technology. Maybe that's what we get paid to do anyway?

If you’ve taken any psychology, you’re probably come across Maslow’s hierarchy of needs. This landmark model, often illustrated with a pyramid, explores human needs, from the most basic physiological level to the ultimate state of self-actualization.

 

While I won’t promise you anything quite so lofty, I will suggest that Maslow’s hierarchal approach to understanding human needs creates a workable model for understanding the power management needs in your data center. So let’s walk through this power hierarchy of needs.

 

Efficient equipment—As a first step, use efficient servers, storage systems, and networking devices. For example, better motherboard designs can increase thermal efficiency and allow fans to run at lower speeds. And integrated power gates within a CPU can allow individual idling cores to drop to near-zero power consumption.

 

Efficient facility designs—Design and modify your data center facilities to conserve energy and make optimum use of your cooling and air handling systems. One basic step is to use hot and cold server aisles so you don’t mix hot exhaust air from servers with cool air from the chiller.

 

Consolidated systems—Use virtualization or other techniques to consolidate your environment to a smaller number of better-utilized systems. And then turn off the power to all those unused systems.

 

Power capping—Place power caps on underutilized systems. With the right tools and systems, you can throttle system and rack power usage based on expected workloads. This capability, in turn, can allow you to place more servers in your racks, to make better use of both power and space.

 

Workload optimization—Use intelligent workload placement to improve thermal dynamics and optimize energy usage. The idea is to dynamically move workloads to the optimal servers based on power policies.

 

If you take all of these steps, I can’t say that you’ll reach a self-actualized state, as in Maslow’s hierarchy. But I can promise that you’ll be operating a more efficient data center and making better use of your power dollars.

In enterprise environments, people are getting serious about cloud computing. An IDC survey found that 44 percent of respondents were considering private clouds. So what’s holding people back? In a word: security. To move to a cloud (private or public) environment, you must be sure you can protect the security of applications and the privacy of information.

 

These requirements are particularly rigid if you are subject to PCI-DSS regulations for credit card transactions or HIPAA (Health Insurance Portability and Accountability Act) regulations for medical records. Compliance depends on your ability to maintain the privacy of the information, generally through isolation of storage systems, networks, and virtual machines.

 

To achieve this level of security, an “air gap” is often used to ensure sensitive systems are isolated. This approach works but severely limits your flexibility and ability to adapt to changing conditions. So perhaps we should consider instead a “virtual air gap.” Let’s look at how you might maintain this virtual separation of systems.

 

Storage isolation: One way to implement storage isolation is to encrypt data when it is in motion and at rest in the cloud environment. Another best practice is the striping of data across systems. This approach breaks blocks of data into multiple pieces that are spread over different disk drives that exist in different administrative zones. This helps protect you from rouge admins, who could access only a fraction of a file, rather than the whole.

 

Network isolation:Sensitive applications should be placed on a controlled VLAN. You then put mechanisms in place to monitor the configuration of routers and switches to verify that no unauthorized changes have taken place.

 

Virtual machine isolation: Virtual machines implement the “air gap” but the quality of the gap is only as good as the versions of hypervisor and the configuration. But how can cloud providers prove that they are using the expected versions on the expected hardware? Using a hardware-based root of trust to provide the evidence of hardware and software is a powerful tool for this challenge. A hardware root of trust provides a hardware-level mechanism to attest to the configuration of the hypervisors and enable the isolation and safe migration of virtual machines (to other trusted platforms).

 

Audits:Having a sound security practice is good but in reality we have to implement an audit to sample the point-in-time processes and technology. Standards such as ISO 27002 for information security and SAS 70 for maintenance of internal controls can help. Also, the Cloud Security Alliance has a solid collection of best practices for security in the cloud.

 

At a high level, these are just some of the steps you can take to implement and maintain a “virtual air gap.”

Anymore, everybody is talking about cloud computing and its potential to drive gains in IT efficiency and flexibility. So why aren’t more organizations actually moving applications to cloud environments? In a word: uncertainties. 

 

Most of all, people are concerned about application and data security in the cloud. But there are many other overarching questions that also need to be addressed before moving to a cloud. Let’s look at six of these intertwined questions.

 

1. What applications are right for the cloud? While this doesn’t sound like a security question, it really is. In selecting applications, begin by considering the sensitivity of the application and how close it is to your company’s core competency. For example, you might outsource expense reports to a third-party service provider, while keeping your core data and applications in your private cloud, where you have greater control over them.

 

2. Are the right policies in place? You must be comfortable with the service provider’s policies on security, availability, disaster recovery, and performance. Whether you’re working with an internal or external provider, these policies should be spelled out clearly in service-level agreements (SLAs).

 

3. How will my data be protected? Before moving sensitive data to an external cloud, you need to be sure that your cloud provider has rock-solid, verifiable security in place. In addition, you will want to encrypt the data you place in the cloud. And even then, you might want to keep your most highly sensitive data within the walls of your own data center, where you can assume full responsibility for its protection.

 

4. What happens when an application goes down? Applications in high demand should be placed in compute pools with automated recovery policies to enable best availability. With this approach, a down server shouldn’t mean a down application. Instead, the compute pool just shifts the workload to another platform.

 

5. What does my application connect to, and how will it connect? When an application is moved to a cloud environment, there’s a good chance it will need to connect back to your corporate environment. You need to understand how that will work. And you need assurances that your network traffic won’t be visible to others who share the same cloud, and vice versa.

 

6. What are my storage requirements? When you place your data in a server provider’s storage systems, you need to be sure the provider can meet your data security, availability, performance, and backup requirements.

 

There are, of course, other questions that need to be asked as well. But this is at least a starting point for your cloud preparations.

Heading to the Cloud Hotel? Consider your security issues.

 

Here is an analogy for looking at security in the cloud: a multi-tenant hotel. I’m sure the analogy will break down at some point, but it seems to work at this point.

 

When you’re moving applications into a cloud environment, it’s a bit like renting a hotel room from a distance, sight unseen. You want to be sure you select a safe building, in a safe neighborhood, and with building management you can trust. To that end, you have certain security expectations for the hotel owner and onsite management.

 

Let’s look at these expectations.

 

Building security [Security policies]. Like the hotel owner, the cloud provider is responsible for basic security, such as protection of the perimeter of the site and controlling access to the building. The hotel owner can be held liable if he fails to meet these obligations. We are only just beginning to see contractual terms from cloud providers along these lines. As the cloud tenant, you are responsible for the applications and data kept in your rented room. You set the policies dictating who can go into the room and under what circumstances, and what they can do while they are in the room.

 

Hotel design and maintenance [Trusted configurations]. The hotel is responsible for designing a secure facility and maintaining it in such a way as to maintain that level of security (or better). The cloud provider is responsible for maintaining IT configurations in accordance with trusted, verifiable policies that are defined in advance.

 

Safe hotel environment [Hardware root of trust]. The hotel owner must ensure that the hotel is operated in a safe and secure manner. Renting a room in a hotel, I really want to be certain that I am getting the room I expect in the location I expect. Likewise, the cloud owner must provide proof that he is maintaining a safe, secure IT environment. This responsibility includes hardware-level protections that attest to the configuration of the hypervisors and enable the isolation and safe migration of virtual machines.

 

Hotel key cards [Data encryption]. When you rent a hotel room, you take responsibility for the valuables left in your room. The same holds true with the cloud. As the cloud renter, you are responsible for maintaining the security of your data while it is at rest in your room or moving to or from the room. These days, the only data I leave in my hotel room is encrypted.

 

Hotel access logs [Auditing]. To make the bean counters happy, hotel owners get audited to ensure they are meeting required safety and security guidelines. Similarly, users of cloud servers need to be able to audit their configurations to confirm that they are built according to the guidelines. The cloud owner gets audited for compliance with various requirements, such as ISO 27002 for information security and SAS 70 for maintenance of internal controls. As the cloud tenant, you get audited for compliance with the standards of your industry, such PCI-DSS for credit card transactions and HIPAA (Health Insurance Portability and Accountability Act) for medical records.

 

Those are all just some of the security concerns based on this analogy. There are, of course, many other things to consider when you rent a room at the Cloud Hotel, such as power, cooling, and access to high-speed networking, to name just a few areas of concern.

Hopefully you saw the Intel and ODCA announcements today. The formation of an end-user organization to drive requirements into the industry through usage models is a long overdue development.

 

Also, I hope you’ve seen the Intel Cloud Builders reference architectures that we published on Wednesday October 27. It is an impressive set of reference architectures that go well beyond the IaaS usage model and into additional usage models including trusted pools and, policy based power management.

 

The development of these usage models into reference architectures really highlighted both the challenges as well as the dynamic nature of this segment of the industry.

 

There were a ton of decisions we made in the process of designing and building these reference architectures. Everything from the form of isolation for multi-tenancy, to the type of storage architecture to us, to use of trusted pools had to be specified and understood in the context of our overall objectives. Even though we had access to experts from across the industry, the process was definitely non-trivial. The challenge for an IT team is clear: gathering and learning from this huge variety is hard enough even when explained in the context of a usage model.

 

It really highlighted to me the value of using usage models as the starting point for these reference architectures. In that context, the ODCA is in a unique situation to challenge the industry to address their critical IT challenges. Having a set of sophisticated IT users express their challenges is a powerful statement.

 

In posts over the next few weeks, I will dig deeper into the reference architectures based on the set of initial usage models and starting with trusted pools.

In my last employment life, we documented reference architectures for the part of the IT infrastructure that we impacted (server systems management). But even then, we could only provide an example knowing that there would be a HUGE variation in how the customer would ultimately implement the solution.

 

Now that we have a number of reference architectures published through Intel® Cloud Builder (with more coming soon), it made me wonder why it is, that all of sudden, we could start making useful reference architectures?

 

From my view, part of the reason is that modern IT is in transition and so we (the “industry”) see the need to explain what we see as the architecture for new IT.

 

But, I suspect, there is a deeper reason: In cloud architectures, the data center and management systems are radically streamlined and simplified. The result is that we (the “industry”) can realistically develop a reference architecture that an IT shop can actually use. What a novel concept.

 

There may actually be yet another more subtle reason: many IT challenges are not well solved and in need of “industry” work. For example, building a cloud that can be used to support hard, real world requirements, such as privacy in healthcare (HIPAA) or isolation in financial, still requires both technical as well as practical advances.

 

Therefore, the ability to do reference architectures for cloud architectures may end up not only helping IT adopt cloud architectures but may also help drive changes to the core technology so that it better suits customer needs.

Filter Blog

By author:
By date: By tag: