Imagine this scenario.  You’re an IT manager and you want one of your sys admins to set up a new server in your data center.  To accomplish this you do three things:

1. Give the sys admin the root password to every other system in the data center.
2. Rent a wrecking ball, put it in front of the data center and give them the keys.
3. Give them an Open Purchase Order with the ability to buy unlimited amounts of equipment!

Now, no IT Manager would ever do this  with their current data centers, but it’s pretty much what every IT manager has to do with most of today’s cloud environment.  That’s because the vast majority of clouds today are built to be used by one person with one password.  If you want multiple people to access the account, they each have to use the same user-name and password!

That’s like having every single person in your IT department using the same password for every system.  I’m not a security paranoid, but even I shudder at the thought.  Every single system with the same user name and password?  You have no way of tracking who’s made what changes to the systems or who is even allowed to make changes to the systems.  Someone could install a virus across your environment and there would be no checking on who did it because everyone uses the same user name and password!

But with cloud it’s even worse than that.  Not only could they infect all of your systems, they could wipe them out with a few clicks of the mouse (hence the Virtual Wrecking Ball.)  You could log in to find hundreds of systems and years of work completely destroyed in about 3 minutes by one windows admin with a grudge.   But of course you wouldn’t know who did it because everyone uses the same user name and password!

Finally, even assuming your staff has the best intentions (and most of them do), you are also giving them unlimited access to add as many systems and as much storage as they like.  That’s liking me giving my 7th grade daughter unlimited text without a plan (like this Dad did.) You’re going to get a 500 page bill at the end of the month.  10 cents an hour sounds cheap, but it adds up fast.  That’s doubly true  when it’s not your credit card where you have to make the payments.  And of course unlike the mega-texting teen, you wouldn’t know who spent all the money  because everyone uses the same user name and password!

By the way, if that’s not risky enough for you, one major cloud provider doesn’t differentiate between web services user names and passwords and e-commerce user names and passwords.  On their cloud, the sys admin could even buy themselves a LED flat screen and an Xbox with your cloud password and you’d have no idea who bought it  because everyone uses the same user name and password!

Now there are third party applications out there that allow you to add multiple user names and passwords to your underlying cloud, but the security holes still exist.  Let’s be blunt; should people have to pay extra for basics like separate user names and passwords for each user?  Shouldn’t that be table stakes by now?

Let’s hope it happens soon, so we can start tackling the real enterprise issues around SSO, policy based management, and federated authority (I love jargon.)  Plus we can stop worrying about where we left the keys to the wrecking ball.

Posted: September 23rd, 2009 under Cloud, Web Services.
Comments: none

Often the two biggest concerns about using Cloud resources today is the lack of latency SLA’s and the difficulty of locking down sensitive data in cloud environments.  These issues of performance and security are often cited as the most common reasons users either don’t adopt the cloud, or if they do use cloud resources, the reason they only use them for test/dev environments.

Interesting enough, the base reason for the inability of cloud providers to SLA latency between different systems in the cloud and the difficulty in locking down data in the cloud  is the same.  It is what I call the flat network problem.  The flat network problem is the underlying structural defect of the first generation of cloud systems.  Essentially in order to make the cloud as flexible as possible, all of the systems within a cloud sit on the same network.

This is fine if you want to add lots of front end systems doing the same thing.  But in a traditional two tier architecture, putting your databases on the same network as your front end web traffic creates all sorts of headaches.  First of all, while you can secure the servers it’s generally best not to directly connect sensitive database servers to the internet.

Secondly, since all traffic between your web/application servers and your database servers must be routed over the front end network it is difficult if not impossible to guaranty latency between those systems.  Even if they sit in the same data center, the latency can often be microseconds instead of milliseconds.  That just won’t work for most traditional two tier architectures.

Now their have been many ingenious work arounds to the increased latency between cloud based systems.  That said, what would make the cloud much more accessible for enterprise is a way to create what I call Virtual Private Clouds within the public cloud.  Essentially it gives cloud users network level as well as systems level control on how their infrastructure is managed.  Cloud infrastructures would look much more like this:

By creating true layer two connections between systems within the public cloud we solve three issues.

1. Security - Any database servers can be disconnected from the public net.  This makes securing and locking down data much easier to do.
2. Performance - By creating a VLAN within the Virtual Private Cloud, users can ensure layer two access between systems that sit on that VLAN.  That alloows for millisecond access times between systems and performance that mimics traditional hosted architectures.
3. Network Based Management - This is the last benefit.  Right now to achieve functions like VPN’s, Clustering, and custom Access Control Firewalls, cloud users have to provision open source “servers” to do the trick.  Virtual Private Clouds allow these functions to be migrated back in to the networking gear where the performance is much higher and the management is much simpler.

While we are seeing some of the elements of virtual private clouds in the cloud offering out there (GoGrid does allow you to configure network based clustering) most of the solutions are not truly cloud based, flexible, API driven offerings.  Instead they are virtual farms you order where the networks can be configured.  For the cloud to truly take off with corporate users, we’ll need to see true cloud offerings with this type of network configurations.

Posted: June 22nd, 2009 under Cloud, Web Services.
Comments: none

Much has been made lately of the fact that the cloud is not enterprise-ready.  Security, performance, SLAs, support, standards and management tools are all cited as reasons the cloud isn’t ready for enterprise adoption.

Many vendors are proposing Private Clouds as a solution. Private Clouds are clouds that run inside enterprise data centers, by enterprise IT, for the use of the members of the enterprise. Basically it’s a way to virtualize a large swath of the IT data center. As is often the case with technology vendors, they think that the infrastructure technology, virtualization, is the end solution the user wants rather than the vehicle with which their needs are filled. While large scale adoption of Private Virtual farms will aid in the management of the data center, it will not address the value that users are getting from true Cloud computing.

To understand the true value of Cloud computing, you first need to understand how the ‘Cloud Generation’ uses technology and why the Cloud is so attractive to that generation as an infrastructure solution. The Cloud Generation has grown up on the web.  As a result they have come to expect three core elements to their technology experience:

1. Immediate Availability - They do a search and get going right away.
2. Ubiquitous Access - They can get to their data and apps anytime, anyplace.
3. Sharing and Collaboration - They expect to be able to collaborate and share anything they are working on.

The current Cloud addresses those needs by providing infrastructure in a way that is far different than any past solutions.

Immediate Availability = Complete Flexibility

Cloud solutions allow users to provision resources immediately. By the time you are done reading this, you could have a server running in Amazon or an application published in Google. It’s that immediate. Moreover, it’s completely flexible. You can turn off services as quickly as you turn them on. Finally you only pay for what you use down to the hour or gigabyte. This resonates with a group that’s not use to spending up front for anything on the web.

Ubiquitous Access = APIs

A true Cloud solution not only offers infrastructure anytime, anywhere, it also provides access either through a web interface or through an API. To the Cloud Generation of programmers this means anything they can interact with on the Cloud they can program to through APIs. The idea of infrastructure being an item that can be addressed as part of the application, instead of something the application lays on top of, is a radical concept.  It has allowed not only for innovative applications, but also for true elastic computing making the Cloud environment even more flexible. Finally, it’s an essential element of the communities that have become critical to the advancement of Cloud computing.

Sharing and Collaboration = Communities

Great Cloud offerings have great Communities around them. This is the aspect of Cloud computing that is so often missed – and even scoffed at – by the IT folks who think it’s all about virtualization. One of the biggest gripes about Cloud computing is that support is done by the Community and not the vendor. While most will agree that far more proactive vendor support is necessary for Cloud computing, Community support is just as critical. For questions of configuration and usage tricks, the Community is a far better source of information than some call center employee with limited access. Often the Community devises more innovative solutions than the vendor ever could.

But in addition to support, the Community can create third-party add-ins that make the Cloud even more useful. As easy as it is to set up a server on Amazon’s EC2, the vast majority of pre-configured Amazon Machine Images created by the community make it that much easier, shaving hours of configuration time. In conjunction with the aforementioned APIs, it also allows for a healthy development of third party add-ons that both add functionality to the Cloud vendor’s solution and even act as a channel to market for the vendor.

So let’s take a look at Private Clouds. They don’t provide complete flexibility. You still need to buy a bunch of servers and virtualization software and data center space first and, once you’ve bought it all, you’re paying for it whether you use it or not. Private Clouds also don’t provide Ubiquitous Access and if they do have APIs they are usually extremely limited compared to true Cloud solutions. Finally, if there is any Community at all (which there usually isn’t) it’s restricted to the enterprise that is deploying it. That’s a much less powerful Community than the group of internet users as whole.

So while Private Clouds may offer many advantages for managing your data center, they do not truly address the Cloud Generation’s needs. What’s really needed is a way to make the true Cloud (that is to say the public internet) safe for enterprise use by improving security, performance, SLAs, support, standards and management tools. That way the users and the enterprise both get what they want. What does it take to do that? That’s a subject for the next post.

Posted: May 14th, 2009 under Cloud, SaaS - Software As A Service.
Comments: 2

A couple of posts ago, I spoke to the busting of the SaaS Silo with Web Services and the impact that was having on the SaaS industry.  The last post spoke specifically about using Web Services to add functionality to your app.  While adding cool new functionality to the app is big for the product guys and the marketing guys, the interest from the sales side seems to be driven by a whole separate set of concerns, chief among them… Integration.

According to recent research by both Saugatuck and Forrester, integration has surpassed security as the main concern for enterprise implementations of SaaS.  This is actually a great sign for SaaS vendors.  It means that SaaS is extending beyond the departmental sale and making true progress into the enterprise.  It also means that in order to get past this increasingly common sales objection, companies need to figure out how to use Web Services to integrate their SaaS application.

While enterprise adoption of SaaS has been quite good, it’s usually done at the departmental level initially.  That means good SaaS apps appeal to business users with specific problems.  As the adoption of those applications spreads from the department to the whole enterprise, IT gets involved.  And it’s logical to think IT wouldn’t want a separate employee record in its Taleo system than it has in its payroll system.  Solutions such as Boomi’s Atoms help IT shops avoid that problem.

Besides integrating with legacy applications, Web Services are beginning to help companies integrate multiple SaaS applications.  Up to now the most ubiquitous integration problem, user management, has either been ignored by companies using SaaS or has had to be cobbled together by in house teams.  I can tell you, we use everything from SalesForce to NetSuite to RightNow and we’ve had to put some pretty tricky things in to (imperfectly) manage users.  Now we are seeing ready built solutions from TriCipher and Symplified that are making this easier and easier for both the SaaS vendor and the enterprise.

Finally, the integration piece is allowing companies like Astadia to go beyond SalesForce customizations in to the world of really creating custom applications out of many different SaaS apps.   Astadia’s acquisition of Theikos indicates that pre-built custom applications are going to be a big part of their future.

So while integration may be listed as a concern on SaaS adoption in the enterprise, it’s really an opportunity.  An opportunity to expand your app by tying it in to other SaaS apps, to legacy apps, and to even see it as the basis for custom apps.  Next post, we’ll talk about using Web Services to not only to break down customer objections but to actually create new opportunities.

Posted: June 30th, 2008 under Cloud, SaaS - Software As A Service, Uncategorized, Web Services, Web applications.
Comments: 1

When Mike Mankowski sent me this blog post today, I figured “Yeah! My running buddy David Greenfield from Altera is writing a post about me. I didn’t even know he blogged.

Alas, it was a case of mistaken identity but the post was real. This David Greenfield disagrees with my hogwash, but that’s O.K., I just like getting quoted. That said, I think Mr. Greenfield’s issue that function (cloud applications) and form (cloud computing) are mutually exclusive is misguided.

I was stating that the next generation of users will demand on-demand, collaborative group applications they can access anywhere and connect to in any way. This is what everything we see on the web from SaaS to Social Networking is driving to. David’s argument that these applications will run like exisiting applications behind the firewall and on servers bought and managed by IT is short sighted.

Instead, I think Cloud Infrastructures will evolve with the applications that they serve. And with that evolution, IT will find a way to exert the kind of data control and security necessary to run Enterprise critical applications. So instead of buying servers, IT will find ways to use cloud resources that give them the same type of control they had with the old models. We are already seeing that today. While an Amazon ec2 cluster is fine for a blog site, when a Web Applications (or SaaS) company wants to sell they know their cloud environement needs to be secure and robust. Hence the proliferation of certifications (SaS 70, PCI, European SafeHarbor, etc.) that have become the ingrained into the DNA of SaaS applications. These are the beginnings of IT reasserting it’s control over cloud apps.

I see the evolution of enterprise class Cloud computing similar to what we saw with Client/Server. When the PC was seen as a toy IT talked about getting apps back under central control. This was accomplished not by moving back to mainframes and mini’s but by evolving PC apps to Client/Server apps. Many people forget that “Servers” are just souped up PC’s with more processors, memory and disk and sturdier versions of desktop OS’s.

Now the interesting thing is how watching these “Cloud Environments” evolve to meet the enterprise needs. 10-20 years from now, I’m sure we’re going to see environments that are as different from today’s clouds as a 30 system HP blade farm is from the PC XT I first used in business.

Posted: February 4th, 2008 under Cloud, SaaS - Software As A Service, Web applications.
Comments: 2