The Blog-Health-o-Meter™ reads This blog is doing awesome!.

Crunchy numbers

A Boeing 747-400 passenger jet can hold 416 passengers. This blog was viewed about 4,400 times in 2010. That’s about 11 full 747s.

In 2010, there were 4 new posts, growing the total archive of this blog to 60 posts. There were 2 pictures uploaded, taking up a total of 175kb.

The busiest day of the year was March 24th with 68 views. The most popular post that day was Private Cloud Computing Reference Architecture .

Where did they come from?

The top referring sites in 2010 were twitter.com, lmodules.com, linkedin.com, cloud-computing.learningtree.com, and cloudenterprise.info.

Some visitors came searching, mostly for iaas, iaas paas saas, paas, cloud computing architecture, and hardware as a service.

Attractions in 2010

These are the posts and pages that got the most views in 2010.

Private Cloud Computing Reference Architecture March 2010

(Cloud Computing contd..): IaaS, PaaS & SaaS April 2009
1 comment

Cloud Computing Reference Architecture January 2010
1 comment

Security, Risk & Compliance for Cloud Computing Model December 2009

Flirting with Cisco UCS (Unified Computing System) January 2010

the change is around the compute part. in a private cloud, there may exist scenarios when virtualization may not be an option. for example – some legacy applications can only scale up and not scale out or require a dedicated hardware to run etc, or a particular OEM may not support a business critical environment in a virtualized environment (yes i know that you know which OEM am i talking about )in those cases, one needs physical server instances instead of virtual instances that are typically associated in a cloud environment.

however, these physical instances will still need the orchestration, metering and billing that one does for virtual instance. this architecture is modified to reflect such a requirement.

Private Cloud Reference Architecture

comments/criticism/feedback welcome!

In this post, I preset my views on the subject

To understand how such certifications can help the Cloud service providers, we can look at the strategies various IT sourcing providers with global delivery models adopted when it came to providing assurance to their customers on Information Security & regulatory compliance.

In the early years of outsourcing, (around 2000 – 2004) there were lot of apprehensions expressed by potential customers around the state of Information Security, Risk Management & Regulatory Compliance when outsourcing to IT service providers, be it HP, IBM, CSC, EDS, HCL etc. The IT service providers knew that to get customers business, they need to provide a reasonable assurance on the state of Information Security to their customers.  In any outsourcing discussion that took place around that time, there used to be a huge focus on such topics.

What these providers then did was,  they adopted industry best practices and standards like ITIL and BS7799 (now ISO27001). Then they got an external body to audit and certify the state of these controls in their delivery centers (certifications like SAS 70 Type I&II to demonstrate the presence and effectiveness of the implemented controls). On top of that, some of these providers also allowed their customers to audit the security controls implemented at the provider’s delivery centers at random either by customer’s internal auditors or by customer external auditors.

Over time, the adoption of the industry standards combined with SAS reports and yes ‘right to audit’ did provide a reasonable assurance to the customers. Many of these providers have been successfully able to demonstrate the state of information security at their delivery centers to the existing and new customers and the business has been good.

Now, is it guaranteed that just because these providers have SAS 70 certifications, all is well at their centers? I don’t think anyone can guarantee a 100% secure environment.

I think the cloud computing market will evolve in a similar manner. It would require cloud computing providers to implement necessary controls, adopt standards, furnish recognized certifications as a proof of effectiveness of the controls. Without these certifications, these providers will find it tough (just like the IT outsource providers) to demonstrate effectiveness of the controls implemented by them.

Having said that, I also think that cloud computing service providers will also be required to let  customers the ‘right to audit’ on top of these certifications.Especially enterprise with enough business potential will be able to muscle their way with the providers.

I recently met a cloud computing provider and asked them about the right to audit and they said – they wont let customers audit their facilities and even refuse to divulge the location of their DC’s. I don’t see them winning too many favors with auditors with such an approach, especially those who are very particular about data sensitivity and regulatory compliance. These providers may continue to get the non-critical portion of the enterprise  IT environment. Unless reasonable and acceptable assurance around Information Security & regulatory compliance  is provided, the critical, sensitive corp apps are likely to stay within the enterprise DC probably in a private cloud kind of setup.

i will also make an attempt to map offerings from the likes of AWS, Microsoft on the architecture going forward. will also try to map offerings under VCE intiative into the same for private cloud implementations.

Cloud Computing Ref Arch V1

this is a tagholder for the post - i will post my analysis along with some numbers to present my experience with Cisco UCS soon.

it was privilege working with so many of my peers located in different parts of the world. it is actually amazing that so many of us could collaborate and work collectively on this initiative.

Now, with the evolution & popularity of Cloud computing model in the recent time, it has added new dimensions to the concept of information security. There is a lot of discussion is taking place within the IT industry but there is still a haze around the security, risk & compliance issues. I believe that with time, a clearer picture is likely to emerge as Cloud service providers realize the importance to address concerns around information security and emergence & adoption of standards.

In my opinion, key issues around security, risk & compliance in Cloud computing model are:-

Governance – one of the concerns customers have expressed is the loss of governance over the service that is now provided in the Cloud. The control now resides with the Cloud service provider on issues like location of data, implementation of security controls and their functioning etc. This lack of overall control and hence over some of the topics that can potentially impact security, risk & compliance issues is a serious concern for the organizations exploring the use of Cloud based services.

Access Control – how do you control the access to the information residing in the Cloud? While models are emerging to control the end user access like OpenID etc, one of the key issues is around control access for the privileged users like administrators.

Data location within Cloud – this is another important concern since it has lot of regulatory & compliance issues. The location of data residing in Cloud also has implications on legal jurisdiction and implications of regional/country specific data privacy requirements.

For example – some of my customers especially in non-US geography have specifically expressed concerns around the implication of US patriot act on the Cloud computing services.

Securing Data at Rest – how secure is the information residing on the Cloud in a shared environment? Information segregation and encryption are key topics that are being discussed to address concerns around information assets in the Cloud.

Regulatory compliance – Organization do need to understand that while the responsibility of security the underlying assets may rest with the Cloud services providers, the responsibility & accountability to secure the information still rests with the enterprise. Traditional IT organizations are faced with lot of audit (internal & external) & security certifications like ISO27001/SAS 70 etc to demonstrate an acceptable level of presence & effectiveness of security controls. Similarly there will be a need for the Cloud service providers to accommodate their customers internal & external audit requirements along with an acceptable demonstration of presence of security controls within the Cloud services offered by them.

Incident Response & Forensics – another important point of concern is around support during incident response and forensics. Due to the shared nature of the Cloud based services and the fact that the service provider can host the data in any of the data centres, establishing log/audit trails to enable Incident Response and to support forensics can be a challenging task.

Organizations are realizing that when using a Cloud computing services, there is a limit to the security controls that can be implemented and enforced. One needs to rely on the controls that are implemented by the Cloud service provider and trust these controls are adequate and working the way they Ire designed. Similarly, there is also a limitation on how much audit information can be generated, collected in a tamper-proof format, retained and if that is adequate to satisfy an organizations audit requirements.

I believe that while enterprise will continue to use public Clouds, the IT spend on setting up private Clouds will increase over a period of time. Public Cloud services will be used to host non-critical services by the organizations while they will use the Cloud computing model within their organizational boundaries to benefit from the concept of Cloud computing while ensuring security, risk & compliance issues are within their control. I are most likely to see emergence of industry standards and also some guidance movement by government bodies on the topics of security, risk and compliance for Cloud services.

references:- http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport; twitter feeds on cloud

here are my thoughts on the subject –

Typically infrastructure management involves design & planning of infrastructure components, procurement, deployment, operations and disposal. However, cloud computing introduces a different aspect – cloud management activities.

Cloud computing has various flavours like SaaS, PaaS, IaaS from services point of view. Also from ownership model, there are public clouds which are owned by service providers and then there are private clouds which offer cloud computing services but are owned by the customer themselves and reside in their data centers.

Depending on which service viewpoint and what ownership model is the customer considering cloud computing, there will be different levels of involvement in infrastructure management. Public cloud providers have solutions that involve a lot of automation thus making the infrastructure management activities simplified.

for public clouds -

SaaS service does not require infrastructure management PaaS service does not require hardware level infrastructure management but will involve activities like provisioning and de-provisioning (cloud management activities), patch management etc.

IaaS service will require activities like provisioning, de-provisioning of compute resources, OS & application patch management etc.

for private clouds -

PaaS & IaaS will require infrastructure management like provisioning of hardware for setting up of private cloud and then cloud management activities like provisioning and de-provisioning of compute resources (cloud management activities), OS and platform patch management, incident, change, problem management etc.

initially i had titled this post as “email and its imminent demise” but then maybe it is incorrect to say “imminent demise”, rather i think it will slowly move into the background and slowly treated as legacy application if it fails to evolve and incorporates the new web 2.0 technologies that ppl are toying for enterprise use..

email has come a long way since it was invented in early 1970′s. people have used emails to  send simple messages to each other/group, use it as means of sharing documents (much to the plight of the email administrators), use calendaring features for appointments and scheduling meetings. on looking closely at how an email is typically used in an organization, i have noticed that along with the above mentioned functions,  emails are also used as means to store files (hey dude, can u email me that presentation that you took for a xxx client the other day, i may use it in future),  approvals for certain business transactions (e.g approval to buy a new server sent by CIO to IT Manager etc), keep a record of certain communication (he said, i said etc) to basically CYA (covery your a**) in case things go bad..however, along with email came its nuances, maintaining uptodate address book, spam, compliance issues etc. but we are all dealing/living with it.

as time goes by, in the world outside the boundaries of an enterprise, people are adopting techniques that harness the power of technology to reach out to each other, either as part of social networking phenomenon or to work together/collaborate. with the power of the internet coming to the mobile device, the speed at which this adoption is taking place is awesome. now, people dont need to access their emails to know what their friends/peers are doing or what is the latest buzz etc. applications like facebook and twitter have already proven the usefulness of technology outside the enterprise walls..it is only a matter of time when they are adopted within the enterprise also. already there is a lot of talk about web 2.0 adoption within the enterprise by many analysts. email too needs to evolve if it has to stay alive in this fast changing scenario. already there are surveys which shows that more and more people are using facebook/myspace/twitter etc over email to reach out/keep in touch.

in my opinion, organizations will start looking for a better collaboration platform which can increase the effectiveness, efficiency & productivity by harnessing the same technologies that are used by millions outside the enterprise boundaries. realizing this need, some email services have now integrated instant messaging/chat services with archiving features on the messaging platform. . how many times have you noticed that when ur having an email exchange with someone, u end up taking the remaining conversation to the chat as it is faster and more effective. i think the collaboration tools like instant messaging will  evolve and bring convergence of channels of communications viz chat, voice, video along with email and other forms of collaboration technologies like document management systems etc. the other day i wanted to reach out to a group within my company to work on platform migration. instead of sending emails to numerous people and then getting redirected from one group to another, i just sent an update on yammer and got a reply within 2 hours from someone located on the other side of the world.. it was awesome and saved me numerous emails and days in waiting for a favorable response.

there will be initial resistance from many to move from legacy to new forms of collaboration. there will be compliance & security concerns. but like the case with any new technology, it will find its own steady state adoption rate. only that, given the way web 2.0 is evolving,  this rate might be accelerated by few notches.

already there is a lot of noise that google wave has generated on the internet. maybe microsoft solution around corporate instant messaging – OCS will also evolve to bring in convergence of existing communication & collaboration tools with the new web 2.0 toys.

my take is that few years from now, email might just end up as a legacy platform required to retrieve old email data and corporates will use a newer and more efficient form of collaboration technologies.

can cloud & cloud based services provide enterprise with the desired level of continuity along with financial flexibility? in my opinion, this is a subject worth further exploration.

during a disaster, you either operate at same or reduced business service SLA’s around performance & availability as from the main site.  the requirements from the DR site are “elastic” in nature,  most of the times, the compute requirement around CPU, memory are pretty low except when activated and operations are run from the DR site.  usually it is the storage that has a consistent use. now, one of the major advantages of cloud computing is to meet elastic demands. put two and two together..i feel there has to be a case to use cloud for IT continuity!

one of the possible challenges is the consistency of the virtualization technology within the enterprise with that of the cloud computing provider. i do not think the cloud computing providers fraternity has something of an intera-operable virtualized images across different cloud providers and private cloud platforms..(or maybe they have. this is something i have not tracked in the google-sphere yet!). so basically what that means is you are stuck with those set of cloud computing providers who use the same virtualization technology as you use in-house in your DC’s for the time being. but compared to having idle investment in your dedicated DR sites, this may be a small trade-off.

some points that i can think of while evaluating the cloud platforms for DR & IT service continuity is – licensing of your existing apps..does the licensing allow you to run the apps from a cloud computing setup, connectivity options to allow migration of large amount of data/images to the cloud computing provider’s setup, how are you going to keep the images of your apps etc in the cloud environment up-to-date with necessary patches, security policies of the providers and client access mechanism.

will update as and when i have discussions with more customers on this topic!