Elastic Security

Last week I attended the CloudCamp in the Cloud. Apart from the fact that the around 70 attendees were connected via a public webinar, the program was similar to a normal CloudCamp: 5-Minutes-Lightning-Talks, an Unpanel (questions to a dynamically formed group of Panelists), and Break-Out-Sessions for deeper discussions on certain topics. In fact, the difference between the Unpanel and the Break-Out-Session was not noticeable since most people (including me) remained on the main channel of the web-conference and the sessions were as unstructured as the Unpanel-session itself. Maybe next time we could simply remain on the same channel and fix time-slots of let’s say 30 minutes to concentrate on pre-defined topics (topic propositions could be sent in by mail the days before the conference). Everybody interested in a specific topic could join at the right time. Those sessions could even be linked to the Lightening-Talks (when we can avoid having masqueraded sales pitches), which would allow some discussions around the talks and direct feedback for the speaker.

Here are my notes during the conference. They reflect some of the most important questions and concerns around Cloud Computing. I will classify them by topic proposed for the break-out sessions during the conference.

• Cloud Computing Definition, Introduction
  • How can we better educate adopters of cloud computing to know what they’re getting into?
• Cloud Computing Providers and Market
  • How does Amazon compare to its competitors (like SliceHost, GoGrid, Rackspace) with regard to features and cost?
  • When economies of scale are necessary to reduce the computing costs, aren’t we heading to a market with very few players, which are then able to keep costs high?
  • What are the growth numbers of providers?
  • How do I get more “nines” from my application in the cloud?
  • Interoperability between cloud vendors – what is the state of the art?
  • What will be the role of channels/VARs in the cloud eco system?
  • Will there be a market for AMIs? Are AMIs the right abstraction to sell?
• Security and Legal
  • Does the patriot act put constraints on the usage of cloud computing?
  • Multi-tenancy is the principal for a good ROI on cloud services, but isn’t that a bad maneuver for security and client (secure) isolation
  • What additional security issues do I need to consider when moving to the cloud?
  • Questions about cloud provider security and trust are legitimate. But how do these question apply to internal systems? Are people putting more security requirements on the provider than on themselves?
  • If trust into your provider is indispensable, how can trust be created?
• Hands-On Experience and Technical
  • Do I need to make changes to my application to have it scale-out in the cloud?
  • How do KVM vs Xen compare to each other?
  • Is Hadoop highly suitable for cloud deployments?

Reuven Cohen recently posted Recap and Video of the conference here. Slides of the lightning talks can be found here.

Filed under: CloudCamp, Discussions

Here is our presentation on CloudCamp Frankfurt. The complete set of videos can be found here.

[Slides]

Filed under: CloudCamp, Discussions

Yesterday, I attended CloudCamp in Frankfurt. My overall impressions: professional organisation, funny location (the film-museum in Frankfurt), great people, a large variety of topics, and a couple of highly interesting presentations. And most of all: good discussions! Thanks to the organisers and sponsors of this great event!

Presentations

Among my personal high-lights was the presentation of Uri Budnik from RightScale, who gave insights how instrastructure services such as Amazon EC2 are actually used today. Not only startups or Facebook application providers like in the beginning, but also Fortune 500 companies are discovering the cloud and moving IT services in public space.

I also liked the presentation of Bernd Becker from Siemens, who has a decade of experience as Application Service Provider (ASP), which is actually the predecessor of cloud-computing. The fact that cloud-computing emerged from the consumer space and is not designed for enterprises from the very beginning will have an impact on the security architecture and raises questions related to security, auditing and prooving resource usage.

Tom Cole stressed the growing importance of identity management and security with the rising popularity of SaaS usage.

Sam Johnston talked about the Open Cloud Initiative that has the goal to define and protect the Open Cloud including everybody’s right to access his data in the cloud via open interfaces in open data formats. Great initiative!

Panel about Private Clouds

The questions and discussions in the unpanel-session were primarily about importance and justification of private clouds, i.e. cloud computing services built upon the internal infrastructure of an enterprise. The range of opinions were large: “private clouds are not much more than the consequent use of virtualization technology” – “private clouds are an evolutional yet transitional step between internal IT management of today and (public) cloud-based IT management of tomorrow” – “private clouds will always be the first choice for applications with mission-critical data or usecases with small delay and response time requirements“.

Security Workshop

I noted a couple of good questions in this workshop. We plan to address some of them in upcoming blog-posts. If you are a workshop participant and you think I forget something important, please let me know in the comments!

• Aren’t private or hybrid clouds (including Amazon’s VPC) a sign that the great vision of public clouds are just a chimera? Frankenstein created his monster, but now that it starts walking we see the need to enchain it?
• Are technical security issues just a way to hide the real problems which are: trust and compliance?
• Can compliance follow the speed of technological progress? Examples: how to retrieve business-related information of an employee that quit the company, when the information is stored at Google? In some countries, strong encryption is not allowed – how to secure privacy of data here?
• What new problems appear related to auditing? One example: how does a server know its location and how can we be sure that the location cannot be faked?
• Aren’t most of the security issues for public clouds are the same as they are for hosting already?
• What is the difference between a cloud-provider and a bank? Much stronger compliance and auditing!
• Will the right to audit be a key differentiator once the cloud-market gets more mature pushing companies like Google or Amazon to change their current habits and attitude?

More opinions on CloudCamp Frankfurt 09 here:

• Serverwolken
• JTerms
• Process Perfection
• Web-Readers

Here is the link to the Elastic Security presentation: “Cloud Security: New Problem or New Context?”

Filed under: CloudCamp, Discussions