Private Cloud Computing Reference Architecture

this post is a follow-up to my post on Jan 28th 2010 on cloud computing ref arch.

the change is around the compute part. in a private cloud, there may exist scenarios when virtualization may not be an option. for example – some legacy applications can only scale up and not scale out or require a dedicated hardware to run etc, or a particular OEM may not support a business critical environment in a virtualized environment (yes i know that you know which OEM am i talking about 😉 )in those cases, one needs physical server instances instead of virtual instances that are typically associated in a cloud environment.

however, these physical instances will still need the orchestration, metering and billing that one does for virtual instance. this architecture is modified to reflect such a requirement.

Private Cloud Reference Architecture

comments/criticism/feedback welcome!

Cloud Computing Reference Architecture

my first attempt at defining a reference architecture for cloud computing. will appreciate any feedback…good/bad/ugly :-). based on the feedback and the discussions i am hoping it will evolve positively.

i will also make an attempt to map offerings from the likes of AWS, Microsoft on the architecture going forward. will also try to map offerings under VCE intiative into the same for private cloud implementations.

Cloud Computing Ref Arch V1

Cloud Security Alliance Guidance Document v2

CSA has released the version 2 of cloud security guidance document. it is available at –  http://www.cloudsecurityalliance.org/csaguide.pdf

it was privilege working with so many of my peers located in different parts of the world. it is actually amazing that so many of us could collaborate and work collectively on this initiative.

Security, Risk & Compliance for Cloud Computing Model

IT has long struggled with the issue of securing the information and the underlying assets in tradition IT environments. There have been debates around how much security is enough. Over a period of time, various models have evolved to enable an enterprise get a grip over the information security issue. Most approaches encourage taking a risk based approach to measure adequacy of existing controls & identify areas of improvement to bring the risk to an optimum risk level.

Now, with the evolution & popularity of Cloud computing model in the recent time, it has added new dimensions to the concept of information security. There is a lot of discussion is taking place within the IT industry but there is still a haze around the security, risk & compliance issues. I believe that with time, a clearer picture is likely to emerge as Cloud service providers realize the importance to address concerns around information security and emergence & adoption of standards.

In my opinion, key issues around security, risk & compliance in Cloud computing model are:-

Governance – one of the concerns customers have expressed is the loss of governance over the service that is now provided in the Cloud. The control now resides with the Cloud service provider on issues like location of data, implementation of security controls and their functioning etc. This lack of overall control and hence over some of the topics that can potentially impact security, risk & compliance issues is a serious concern for the organizations exploring the use of Cloud based services.

Access Control – how do you control the access to the information residing in the Cloud? While models are emerging to control the end user access like OpenID etc, one of the key issues is around control access for the privileged users like administrators.

Data location within Cloud – this is another important concern since it has lot of regulatory & compliance issues. The location of data residing in Cloud also has implications on legal jurisdiction and implications of regional/country specific data privacy requirements.

For example – some of my customers especially in non-US geography have specifically expressed concerns around the implication of US patriot act on the Cloud computing services.

Securing Data at Rest – how secure is the information residing on the Cloud in a shared environment? Information segregation and encryption are key topics that are being discussed to address concerns around information assets in the Cloud.

Regulatory compliance – Organization do need to understand that while the responsibility of security the underlying assets may rest with the Cloud services providers, the responsibility & accountability to secure the information still rests with the enterprise. Traditional IT organizations are faced with lot of audit (internal & external) & security certifications like ISO27001/SAS 70 etc to demonstrate an acceptable level of presence & effectiveness of security controls. Similarly there will be a need for the Cloud service providers to accommodate their customers internal & external audit requirements along with an acceptable demonstration of presence of security controls within the Cloud services offered by them.

Incident Response & Forensics – another important point of concern is around support during incident response and forensics. Due to the shared nature of the Cloud based services and the fact that the service provider can host the data in any of the data centres, establishing log/audit trails to enable Incident Response and to support forensics can be a challenging task.

Organizations are realizing that when using a Cloud computing services, there is a limit to the security controls that can be implemented and enforced. One needs to rely on the controls that are implemented by the Cloud service provider and trust these controls are adequate and working the way they Ire designed. Similarly, there is also a limitation on how much audit information can be generated, collected in a tamper-proof format, retained and if that is adequate to satisfy an organizations audit requirements.

I believe that while enterprise will continue to use public Clouds, the IT spend on setting up private Clouds will increase over a period of time. Public Cloud services will be used to host non-critical services by the organizations while they will use the Cloud computing model within their organizational boundaries to benefit from the concept of Cloud computing while ensuring security, risk & compliance issues are within their control. I are most likely to see emergence of industry standards and also some guidance movement by government bodies on the topics of security, risk and compliance for Cloud services.

references:- http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport; twitter feeds on cloud

Clouds & Infrastructure Management

recently, someone asked me a question around infrastructure management – One of our business units are going in for cloud computing. Do they still have to look at infrastructure management?

 

here are my thoughts on the subject –

 

Typically infrastructure management involves design & planning of infrastructure components, procurement, deployment, operations and disposal. However, cloud computing introduces a different aspect – cloud management activities.

Cloud computing has various flavours like SaaS, PaaS, IaaS from services point of view. Also from ownership model, there are public clouds which are owned by service providers and then there are private clouds which offer cloud computing services but are owned by the customer themselves and reside in their data centers.

Depending on which service viewpoint and what ownership model is the customer considering cloud computing, there will be different levels of involvement in infrastructure management. Public cloud providers have solutions that involve a lot of automation thus making the infrastructure management activities simplified.

for public clouds

SaaS service does not require infrastructure management PaaS service does not require hardware level infrastructure management but will involve activities like provisioning and de-provisioning (cloud management activities), patch management etc.

IaaS service will require activities like provisioning, de-provisioning of compute resources, OS & application patch management etc.

for private clouds –

PaaS & IaaS will require infrastructure management like provisioning of hardware for setting up of private cloud and then cloud management activities like provisioning and de-provisioning of compute resources (cloud management activities), OS and platform patch management, incident, change, problem management etc.

 

Cloud for IT Continuity

typically a DR site goes live when the main DC goes offline of fails. quite often, the IT infrastructure at the DR site sits idle waiting for an untoward incident to be kicked back into life. in some cases, the infrastructure at DR site is used to host dev & QA environments also. the DR sites are typically activated for a short period of time and when the main site/DC is restored, the DR goes back to idle state. is there an alternative to blocking investments in a DR site using the evolution in the technologies used in DC and still ensure continuity of operations?

can cloud & cloud based services provide enterprise with the desired level of continuity along with financial flexibility? in my opinion, this is a subject worth further exploration.

during a disaster, you either operate at same or reduced business service SLA’s around performance & availability as from the main site.  the requirements from the DR site are “elastic” in nature,  most of the times, the compute requirement around CPU, memory are pretty low except when activated and operations are run from the DR site.  usually it is the storage that has a consistent use. now, one of the major advantages of cloud computing is to meet elastic demands. put two and two together..i feel there has to be a case to use cloud for IT continuity!

one of the possible challenges is the consistency of the virtualization technology within the enterprise with that of the cloud computing provider. i do not think the cloud computing providers fraternity has something of an intera-operable virtualized images across different cloud providers and private cloud platforms..(or maybe they have. this is something i have not tracked in the google-sphere yet!). so basically what that means is you are stuck with those set of cloud computing providers who use the same virtualization technology as you use in-house in your DC’s for the time being. but compared to having idle investment in your dedicated DR sites, this may be a small trade-off.

some points that i can think of while evaluating the cloud platforms for DR & IT service continuity is – licensing of your existing apps..does the licensing allow you to run the apps from a cloud computing setup, connectivity options to allow migration of large amount of data/images to the cloud computing provider’s setup, how are you going to keep the images of your apps etc in the cloud environment up-to-date with necessary patches, security policies of the providers and client access mechanism.

will update as and when i have discussions with more customers on this topic!

Cisco’s Collaboration Framework – My View’s

 While searching for information on Cisco UCS, I came across some sites where Cisco’s acquisitions were being discussed.

In the past few months, Cisco did some pretty interesting acquisitions. When looked at each acquisition individually, some make sense and some don’t . But if u step away, a picture starts to emerge. Some of the acquisitions made by cisco are:-

· Webex – for USD 3.2 billion – meetings over the web

· Postpath for USD 215 million. – email and collaboration. It has been the most surprising acquisition from Cisco.

· Jabber – financials not known – Jabber has developed a “carrier-class” platform based on open standards that can work across multiple messaging systems, such as AOL Instant Messenger, Google Talk, Yahoo Messenger and Office Communications Server

· Ironport – USD 830 million – email anti virus and anti spam

· Five across – 11 member company which allows large companies to easily add social networking features to their websites

· SoonRgiven USD 9.1 million dollars to soonR – a backup service focused on enabling access to your files from mobile devices. SoonR synchs your files to cloud storage via a downloadable client that runs in the background of both Macs and PCs. When you’re on the go, you can access these files with the web browser in your mobile phone.

· Recently Cisco/Webex introduced – remote desktop management capability and patch management capability in the webex client. I have no idea as of now where cisco is headed with these developments in webex. But it just might be a sign of things to come from Cisco.

Where is Cisco headed with these acquisitions? Well, my thoughts on how Cisco might be planning to play with features from the companies it has acquired can be summarized by the figure below. (I know the handwriting is not clear but didn’t have scanner so used camera phone and anyway..like they saying goes – a pic is worth thousand words.. 

Cisco's Collaboration Framework - My View

Cisco's Collaboration Framework - My View

 Cisco might be planning to take on Microsoft & IBM on business collaboration by using these acquisitions.