Elastic Security

Icon

Security for the Cloud

June 25, 2009 • 09:39 3

How will Enterprises manage their Infrastructure in the Cloud?

Photo: Blyzz

Photo: Blyzz

Amazon EC2 is the first and most popular provider of infrastructure services via the web. Since a couple of months, they provide a Web-Console that allows to build and control a virtual infrastructure: launch instances from virtual images (called AMIs), reboot, and terminate instances, create persistent storage and attach it to instances, allocate public IP addresses, manage Security Groups and key pairs. All those tasks are very basic. It’s hard to imagine to manage more than 20 virtual machines on one account. It’s not possible to group virtual machines or to even give them human comprehensible names or to easily track which instance uses which storage. The recently added feature CloudWatch, which allows to collect status and performance metrics from running instances, is not (yet) accessible via the console. It seems extremely difficult to professionally run and manage an IT infrastructure on EC2 without additional tools (except small setups e.g. consisting of a web-application with some web-, application- and database servers). But how would the management of a virtual IT infrastructure look like? How will enterprise customers use an infrastructure service as provided by EC2?

Built In AWS Console

Despite all the issues cited above (low level operations, visual scalability issues, manual interventions on running instances for configuration), using the AWS Console has nevertheless also some advantages. It gives full control over all aspects of the virtual infrastructure and therefore allows to deploy any low-level modification if needed. Given the frequency with which Amazon added new features in the past two years (see here for a short overview of innovations for EC2), it is also possible that most of the obvious gaps will be closed by AWS in the near future.

Third Party Management Console

Enterprises may also rely on external management applications that cope with the missings in the AWS Console offerings. The advantage of using a third party provider is that there is competition to push those providers for excellence. We can also expect that there will be specialized products that respond more closely to the specific needs of specific customers and concentrate on usability, security, scalability, flexibility – whatever is important for a customer.

Third party management consoles can itself be based in the cloud (as SaaS) or installed in the private network of the enterprise either as server or desktop application. The best known example of a SaaS based solution is RightScale that started as a simple console for EC2 (already when EC2 didn’t provide one) and evolved into a solution that allows to manage the life cycle of deployments. SaaS based solutions raise questions on security (who has access to the enterprises data? how is illegal access prevented?) and offer less control than using the “raw” AWS solution.

Consoles that are installed in the private network of the enterprise customer give more options to secure the access to the enterprises data in the cloud, works nicely in hybrid setups and offer the possibility to integrate with already existing management tools. However, they still require a private enterprise network (even when it becomes much smaller), which means a more complex overall IT architecture and higher costs of administration and operation (including hardware and cloud servers).

“Inside” Management Console

A third approach (we don’t know of any provider yet) could be to run the management console within the EC2 infrastructure. The customer would use the AWS console to deploy a virtual image with the management console, start it up, and then manage all deployments via a secured web-service delivered by the management console server running in EC2. This solution somehow combines the advantages of the former two: all credentials remain in the virtual perimeter of the AWS account owner, while the enterprise IT manager can benefit from an easy-to-use and well adapted management solution that can be integrated with other tools the customer is already used to.

Outsourced Management

Of course, an enterprise may also decide to not care about the underlying infrastructure at all as long as it has secure and reliable access to its data. When flexibility, low-level control, and the need for integration with existing data or services aren’t fundamental, it may go for a SaaS or PaaS (e.g. Salesforce) solution. Even security software is available as a managed service today (known as MSSP). Otherwise, it could outsource the management to a service provider (we called it myPaaS-Provider) that not only runs the infrastructure, but also deploys software updates and performs customizations.  Such a model would allow the enterprise customer to get their own customized applications as SaaS without loosing the power to apply additional features or security mechanisms.

Conclusion

Instead of a conclusion we rather ask for your opinion. How will enterprises manage their infrastructure in the cloud?

Filed under: AWS, Discussions

June 17, 2009 • 11:08 1

myPaaS – A Promising Cloud Delivery Model?

Foto: ChrisLB

Foto: ChrisLB

Cloud Computing Models: SaaS, PaaS, IaaS

The term Cloud computing is used in very broad manner. Some people use it already for simple web-applications, others only for services that provide a complete computing infrastructure. Christofer Hoff identified three cloud-computing models discerned by the type of service delivered to customers (see first chapter of the CSA Guide for details): Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (Iaas). All models have in common that they provide ubiquitous access to data and resources, and that they offer an utility or subscription based billing model. They differ basically by the degree of control, customization flexibility, and capabilities for integration and migration.

A customer that uses a SaaS (Software as a Service) based Customer Relations Management application (e.g. Highrise by 37Signals) must fully rely on the security mechanisms put in place by the provider; he is not empowered to e.g. encrypt his data or to provide additional measures for intrusion prevention (lack of control). The customer is also bound to the feature set of the specific provider’s proprietary software. Additional features he considers important might never be implemented or not in the way the organization would like to (lack of customization flexibility). It might also be difficult for the customer to switch the provider and migrate his data securely and without major interruptions to another platform, or to integrate the CRM application with other applications that should share a part of the same data set (lack of capabilities for integration and migration).

The PaaS model (Platform as a Service) offers more flexibility and integration capabilities (at least as long as the customer doesn’t change the platform). Independent application and service providers can extend applications and implement customized features via well defined APIs provided by the platform provider (e.g. Salesforce). The same set of data is accessible for different applications. The flexibility is however limited by the capabilities of the provided APIs. While there might be more control, the customer nevertheless is not empowered to apply the same fine-grained control as in IaaS environments, e.g. to deploy more sophisticated security schemes for certain data.

IaaS (Infrastructure as a Service) provides a maximum level of control and flexibility to customers – almost the same as if they would operate their own hosting center. Customers of infrastructure services (e.g. such as Amazon EC2) can do virtually anything they want with their application services and data. They are empowered to apply the security tools of their choice, to add new resources at any time, to deploy complementary tools, or run business intelligence processes on their data. If they use their own software or open source software, they can even extend the core feature set of their applications and integrate with other parts of their service architecture.

Something in the Middle: myPaaS

Control and flexibility for the IaaS model comes at the price of additional costs for maintenance and administration. We expect new tools to emerge that will facilitate and reduce costs for operating a software service infrastructure in the cloud. Nevertheless, IaaS will always require a high level of expertise and time that not every enterprise may want to deal with – especially, small companies or companies that consider IT only a commodity.

One way to cope with those issues is to outsource the administration to a third party provider. This provider would be responsible to run the customers software infrastructure and to provide ubiquitous, secure, and high-available application level and data access for the customer. He may also – in more customized setups – be responsible for software updates and the deployment of patches – or even for professional services like integrating new functionality, deploying additional tools, or switching to new applications. Such a provider is working similarly to a SaaS provider – in the sense that he offers application software as a service – but not in a one-fits-all approach, but providing customized services for individual companies. He also operates similarly to an infrastructure provider – in the sense that he provides infrastructure related services like security, computing resource provisioning, and management – and to a platform provider – in the sense, that the customer has full access to his data. That’s why we would call such a provider a myPaaS provider.

To become myPaaS a viable business model, we need tools that allow myPaaS providers to scale their services up, to be able to easily monitor, administer, and upgrade thousands of different setups. From the perspective of a customer, such an approach combines the comfort of SaaS delivery with the flexibility of IaaS and the permanent option for customization and professional services – it’s like mass customization for application services.

Conclusions?

What do you think – will we see myPaaS providers emerge with the growing popularity of IaaS and SaaS? Is the demand for such a type of service stronger than for solutions following the one-fits-all SaaS model? Can myPaaS become scalable enough to become a highly profitable business model?

Filed under: Discussions

June 11, 2009 • 10:09 2

Creating a Startup on EC2 – Really a Good Idea?

 

(Foto: Leonard John Matthews)
(Foto: Leonard John Matthews)

Amazon EC2 – A New Platform

Amazon is one of the pioneers of providing infrastructure as a service (Iaas). Customers can instantiate virtual machines via the Web with complete control over all computing resources and pay only for the resources they consume: computer power, storage and network  bandwidth usage. Such an environment allows to scale up and down computing environments in minutes thus enabling new and potentially more efficient ways of running datacenters and IT services. Amazon created a whole new platform (comparable with Microsofts Windows Operating system) that generates a virtually illimited  number of opportunies for startups to provide new services, tools, and applications to build on top or to complete Amazon’s offerings.

This is the optimistic version. But let’s dig deeper – is it really a good idea for startups to build upon the EC2 platform? What are possible strategies to be successful? What are the risks to fail?

Platform Software

Becoming the owner of a popular platform, i.e. a foundation product that enables other software companies to build own offers upon, is the ultimate dream of every software company and its investors. Platform owners define the rules of the game and profit directly and indirectly from any economical activity on their platform since every new product based on the platform increases its attractiveness. IBM’s Mainfraim systems, DEC’s Minicomputer Operating Systems, Oracle Databases, Intel’s 386 Family, Microsoft’s Window OS, Java – all those are examples for successful  platforms that became de-facto standards. The Internet itself is such a huge platform that it has become the foundation of many other platforms like EC2, Google’s App Engine, Salesforce.com, but also Facebook or Twitter.

The downside of the ambition being a platform provider is the extremely tough competition. There’s typically only space for one or two platforms in a segment that defines the standard. The way to get there is challenging, expensive and extremely risky. Only a few can win.

Succeeding as Niche Provider

It is far easier and more predictable for small companies to position themselves as provider of complementary products for a given platform (like building Management Applications for Oracle Databases, Debugging Tools for Windows, Java Optimization Software, etc). Occupying and defending a niche has shown to be a successful strategy for startups many times. Some of those startups even expanded from their niche into horizontal markets and then became themself platform providers (e.g. Microsoft, Apple, Google). Others developed outstanding and unique skills that attracted the interest of the platform provider that eventually bought the startup and integrated their technology in their own plaform offererings. Being bought by Google is probably the most popular exit strategy of web-startups today. Google bought more than 50 companies between 2001 and 2008, Microsoft even more.

Is there any evidence that this strategy works also for EC2? Amazon acquired very few companies, almost all in the retailing market, one UI-specialist (Shelfari) and one stake in an alternative payment company (BillMeLater.com) . There is no company in the list that offers technology to improve, extend, or complete the EC2 platform. Does Amazon at least leave enough space in its eco-system for niche and complementary providers?

Looking at the history of EC2, it is quite impressing how the platform evolved within short time intervals. EC2 started as beta-version in 8/2006 without any graphical interface. Access to the platform was only possible via an API. There was no possibility to assign persistent storage to running instances, neither static IP addresses. In 12/2007, they presented DevPay (only for the US), a payment system that allows providers of virtual appliances (AMIs in Amazon’s terms) to assign fees to their VAs that Amazon charges from the users and credits to the provider. In 3/2008, they came out with features for high availability like static IP addresses and availability zones. In 8/2008, they provided the possibility to attach persistent storage to instances. In 10/2008, EC2 lost its beta-label and went into production mode. Two months later, EC2 become available in Europe.  Beginning 2009, Amazon announced a management console.  Shortly later, they started providing images based on Windows. In 3/2009, it became possible to reserve instances, i.e. keep fully configured images in hibernate mode without paying for them until they are used. And some weeks ago, they added monitoring, autoscaling, and loadbalancing to the platform’s features.

Given this impressive list of innovations, it is clear that Amazon puts a lot of pressure on startups to remain competitive against the platform provider. This brings us back to our initial question: is selling products or services on for the EC2-platform really a viable business model?

Strategies to Survive

We believe that this is the case. We even believe that the situation is not substantially different from any software provider which builds products for Windows. But any startup should be extremely careful concerning their decisions on the product/service scope and feature set. Here are a couple of strategies that may work:

  • Startups could provide solutions for a technological niche that is not of common interest of the vast majority of EC2 users (e.g. network simulation)
  • Startups could concentrate on specific usecases for a subset of potential EC2 users and provide simple solutions to streamline those usecases (e.g. deployment of web-services in Ruby on Rails)
  • Startups could focus on a vertical industry segment (e.g. provide solutions for lawyers)
  • Startups could diversify their offering by supporting different infrastructure providers (like GoGrid or FlexiScale)
  • Startups could try to be faster than EC2, sell solutions for existing gaps in the Amazon offerings, and move on when EC2 fills the gap itself (RightScale seems to follow such a strategy)

Whatever strategy a startup chooses, an ermerging growth market as cloud-computing and infrastructure services should offer enough possibilities for determined founders to succeed and create a thriving business.

Filed under: AWS, Discussions

June 8, 2009 • 14:49 5

Requirements for Cloud VPNs

The CSA guide is a comprehensive effort to list the security risks brought by cloud computing. A good overview but there are security requirements that are spread among several domains. Two such examples are confidentiality and integrity. Moreover, these requirements need to be fulfilled in different situations. For example data integrity in transit and at rest.

Let’s start by focusing on confidentiality and integrity of communications. We have to deal with confidentiality and integrity of communications in several scenarios:

  • Communication from the internet to the cloud
  • Communication between the internal network and the cloud
  • Communication between applications within the cloud (an interesting example is between amazon EC2 and S3)
  • Communication between clouds

With PaaS and SaaS, we may use SSL. In IaaS the solution to provide you full access to your cloud network is a VPN.

The requirements for a cloud VPN in all scenarios are as follows:

Clientless: The need to deploy agents should be avoided when possible. The use of standards like IPSec which is supported by security gateways or existing operating systems solves this problem as well.

Centralized management: Modifications on the configuration of servers or clients should not imply a re-deployment.

Authentication and authorization features : The solution should support different authentication methods and it should allow to specify access control lists as well (role based or RBAC).

Integration with endpoint security: The VPN should integrate with endpoint security solutions.

Advanced logging and reporting: At a given moment it should be possible to know who is or was connected and what kind of operations are or were performed.

Support of different communication methods and devices: Legacy applications, some windows applications such as outlook, or applications that use multicast should be supported. On the top of that, several types of devices such as smart-phones need to be supported as well.

High availability: when a server is down, the clients must be able to connect to other available servers in a transparent way.

Static addressing: the number of static public IPs is limited, so it is practical to build a private IP infrastructure.

In a follow-up post we will focus on tools and the scenarios listed above.

Filed under: AWS, Discussions, Internals

June 4, 2009 • 10:01 0

A New Way of Shipping Software

(Foto: jpellgen)

(Foto: jpellgen)

The Old Way of Shipping Software

In the early 70s, selling software started to become an independent business since software was no longer bundled  and sold together with hardware.  It has been shipped as a set of binaries on storage carriers like floppy-disks, and later CDs and DVDs. The customer pays upfront license fees for the right of using the software product and typically also for support fees, professional services, and periodic upgrades. At the beginning of the Internet era, a new, yet only slightly different model appeared: software is no longer bound to physically devices, but can be downloaded instead. However, the economical model – upfront payments, licensing, software updates – didn’t change at all: customers buy, install and run software products.

From Products to Services

The real innovation came a bit later: under different labels such as On-Demand Software, ASP (Application Service Provider), Web-Services, SaaS (Software as a Service), – and recently more generally Cloud Computing – utility or subscription based models have gained a lot of popularity. Customers pay relatively small amounts of monthly fees for the usage of an application that runs on the servers of the software provider. Software installation and upgrades are no longer part of the customers’ responsibility. Reduced capital and maintenance costs for software and hardware as well as more flexibility in resource allocation and contract termination make this model more and more attractive.

IaaS as Enabler for a New Way of Shipping Software

Amazon AWS were the first to combine  the utility model of the SaaS approach with virtualization technology. They give customers the possibility to create their own virtual data center and IT infrastructure on Amazon’s physical one. In such a model (often referred to as Infrastructure as a Service – Iaas), the customer has full control over the underlying computing, storage and networking infrastructure while paying only for the resources he actually uses. He can perfectly customize his computing and data environment while still enjoying the advantages of the utility economic model.

From the perspective of a software company, the IaaS model can also be seen as a new paradigm that may change radically the way software is distributed, upgraded, and billed in the future – a model that lies in the middle between shipping a product and providing a service.

What It Means for Customers and Software Companies

Let’s have a closer look at Amazons Elastic Cloud Service (EC2). Software providers can ship completely pre-configured virtual images of servers to their customers that simply need to start them up to have it running on Amazon’s virtual infrastructure. VMWare calls those images Virtual Appliance (VA) and created even a marketplace for them – however, they did not provide a infrastructure to run these VAs, but rely on the infrastructure enterprises build themselves.

In addition to providing computing resources to their infrastructure customers, Amazon also takes over the billing for third party software providers. Each instantiated image can be associated with subscription or utility fees to be charged from the customer and credited to the provider of the image (see  DevPay). From the perspective of a software provider, such a model has the advantage that he can respond to the customers’ need of utility pricing models without being forced to undertake the efforts of building a potentially costly service infrastructure to deliver his applications.

New Opportunities

Although delivering software as a service as well as the classical approach of providing installers will surely remain popular models to deliver software, the idea of virtual appliances in IaaS environments will open new opportunities for software companies. A healthy virtual appliance market will make it easier than ever to ship application server software and to respond to specific customer needs without building up own computing and billing infrastructures. On the other hand, customers that are building their own virtual infrastructures, can benefit from the VAs advantages to combine easy installation with a maximum of control.

Filed under: AWS, Discussions, ,

Twitter Updates

Follow

Get every new post delivered to your Inbox.