Report on Cloud Computing
Short Description
Download Report on Cloud Computing...
Description
DELHI TECHNOLOGICAL UNIVERSITY DELHI
DEPARTMENT OF CIVIL AND ENVIRONMENTAL ENGINEERING
CLOUD COMPUTING INTERNET SAFETY
1
ABSTRACT Cloud computing is basically an Internet-based network made up of large numbers of servers - mostly based on open standards, modular and inexpensive. Clouds contain vast amounts of information and provide a variety of services to large numbers of people. The benefits of cloud computing are Reduced Data Leakage, Decrease evidence acquisition time, they eliminate or reduce service downtime, they Forensic readiness, they Decrease evidence transfer time The main factor to be discussed is security of cloud computing, which is a risk factor involved in major computing fields This paper describes cloud computing, a computing platform for the next generation of the Internet. The paper defines clouds, explains the business benefits of cloud computing, and outlines cloud architecture and its major components. Readers will discover how a business can use cloud computing to foster innovation and reduce IT costs. Introduction Enterprises strive to reduce computing costs. Many start by consolidating their IT operations and later introducing virtualization technologies. Cloud computing takes these steps to a new level and allows an organization to further reduce costs through improved utilization, reduced administration and infrastructure costs, and faster deployment cycles. The cloud is a next generation platform that provides dynamic resource pools, virtualization, and high availability. Cloud computing describes both a platform and a type of application. A cloud computing platform dynamically provisions, configures, reconfigures, and deprovisions servers as needed. Cloud applications are applications that are extended to be accessible through the Internet. These cloud applications use large data centers and powerful servers that host Web applications and Web services.
CONTENTS
2
1. 2. 3. 4.
5.
6. 7. 8.
9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19.
Whai is a cloud computing? History What is driving cloud computing? Types of services: Infrastructure-as-a-service (IaaS) Platform-as-a-service (PaaS) Software-as-a-service (SaaS) Types of visibility: Public cloud Hybrid cloud Private cloud How does cloud computing work? A typical cloud computing system Seven technical security benefits of the cloud: Centralized data Incident response/forensics Password assurance testing Logging Improve the state of security software (performance) Secure builds Security testing Adoption fears and strategic innovation opportunities Will cloud computing transform IT? Software via the internet: Microsoft in cloud computing Opportunities and challenges Benefits Application Conclusion APPENDIX A- Deployment model matrix APPENDIX B- Hybrid cloud concept model APPENDIX C- Cloud computing definition BIBLIOGRAPHY
3
What is a Cloud computing? Cloud computing is Internet- ("CLOUD-") based development and use of computer Technology ("COMPUTING") Cloud computing is a general term for anything that involves delivering hosted services over the Internet.
It is used to describe both a platform and type of application.
Cloud computing also describes applications that are extended to be accessible through the Internet. These cloud applications use large data centers and powerful servers that host Web applications and Web services. Anyone with a suitable Internet connection and a standard browser can access a cloud application.
User of the cloud only care about the service or information they are accessing - be it from their PCs, mobile devices, or anything else connected to the Internet - not about the underlying details of how the cloud works.” History The Cloud is a metaphor for the Internet, derived from its common depiction in network diagrams (or more generally components which are managed by others) as a cloud outline.
4
The underlying concept dates back to 1960 when John McCarthy opined that "computation may someday be organized as a public utility" (indeed it shares characteristics with service bureaus which date back to the 1960s) and the term The Cloud was already in commercial use around the turn of the 21st century. Cloud computing solutions had started to appear on the market, though most of the focus at this time was on Software as a service. 2007 saw increased activity, including Goggle, IBM and a number of universities embarking on a large scale cloud computing research project, around the time the term started gaining popularity in the mainstream press. It was a hot topic by mid-2008 and numerous cloud computing events had been scheduled. WHAT IS DRIVING CLOUD COMPUTING? The CLOUD COMPUTING is driving in two types of categories .They are as follows: o o
Customer perspective Vendor perspective
Customer perspective:
In one word: economics Faster, simpler, cheaper to use cloud computation. No upfront capital required for servers and storage. No ongoing for operational expenses for running datacenter. Application can be run from anywhere.
Vendor perspective:
Easier for application vendors to reach new customers. Lowest cost way of delivering and supporting applications. Ability to use commodity server and storage hardware. Ability to drive down data center operational cots. Types of services:
These services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS) Platform-as-a-Service (PaaS) Software-as-a-Service (SaaS).
5
Infrastructure-as-a-Service (IaaS): Infrastructure-as-a-Service(IaaS) like Amazon Web Services provides virtual servers with unique IP addresses and blocks of storage on demand. Customers benefit from an API from which they can control their servers. Because customers can pay for exactly the amount of service they use, like for electricity or water, this service is also called utility computing. Platform-as-a-Service (PaaS): Platform-as-a-Service(PaaS) is a set of software and development tools hosted on the provider's servers. Developers can create applications using the provider's APIs. Google Apps is one of the most famous Platform-as-a-Service providers. Developers should take notice that there aren't any interoperability standards (yet), so some providers may not allow you to take your application and put it on another platform. Software-as-a-Service (SaaS): Software-as-a-Service (SaaS) is the broadest market. In this case the provider allows the customer only to use its applications. The software interacts with the user through a user interface. These applications can be anything from web based email, to applications like Twitter or Last.fm. Types by visibility: Public cloud: Public cloud or external cloud describes cloud computing in the traditional mainstream sense, whereby resources are dynamically provisioned on a fine-grained, self-service basis over the Internet, via web applications/web services, from an off-site third-party provider who shares resources and bills on a fine-grained utility computing basis. Hybrid cloud: A hybrid cloud environment consisting of multiple internal and/or external providers ] "will be typical for most enterprises". A hybrid cloud can describe configuration combining a local device, such as a Plug computer with cloud services. It can also describe configurations combining virtual
6
and physical, colocated assets—for example, a mostly virtualized environment that requires physical servers, routers, or other hardware such as a network appliance acting as a firewall or spam filter.
Private cloud: Private cloud and internal cloud are neologisms that some vendors have recently used to describe offerings that emulate cloud computing on private networks. These (typically virtualisation automation) products claim to "deliver some benefits of cloud computing without the pitfalls", capitalising on data security, corporate governance, and reliability concerns. They have been criticized on the basis that users "still have to buy, build, and manage them" and as such do not benefit from lower up-front capital costs and less hands-on management [, essentially "[lacking] the economic model that makes cloud computing such an intriguing concept". While an analyst predicted in 2008 that private cloud networks would be the future of corporate IT, there is some uncertainty whether they are a reality even within the same firm. Analysts also claim that within five years a "huge percentage" of small and medium enterprises will get most of their computing resources from external cloud computing providers as they "will not have economies of scale to make it worth staying in the IT business" or be able to afford private clouds. Analysts have reported on Platform's view that private clouds are a stepping stone to external clouds, particularly for the financial services, and that future datacenters will look like internal clouds. The term has also been used in the logical rather than physical sense, for example in reference to platform as a service offerings, though such offerings including Microsoft's Azure Services Platform are not available for on-premises deployment.
7
How does cloud computing work? Supercomputers today are used mainly by the military, government intelligence agencies, universities and research labs, and large companies to tackle enormously complex calculations for such tasks as simulating nuclear explosions, predicting climate change, designing airplanes, and analyzing which proteins in the body are likely to bind with potential new drugs. Cloud computing aims to apply that kind of power—measured in the tens of trillions of computations per second—to problems like analyzing risk in financial portfolios, delivering personalized medical information, even powering immersive computer games, in a way that users can tap through the Web. It does that by networking large groups of servers that often use low-cost consumer PC technology, with specialized connections to spread data-processing chores across them. By contrast, the newest and most powerful desktop PCs process only about 3 billion computations a second. Let's say you're an executive at a large corporation. Your particular responsibilities include making sure that all of your employees have the right hardware and software they need to do their jobs. Buying computers for everyone isn't enough -- you also have to purchase software or software licenses to give employees the tools they require. Whenever you have a new hire, you have to buy more software or make sure your current software license allows another user. It's so stressful that you find it difficult to go.
8
A typical cloud computing system Soon, there may be an alternative for executives like you. Instead of installing a suite of software for each computer, you'd only have to load one application. That application would allow workers to log into a Web-based service which hosts all the programs the user would need for his or her job. Remote machines owned by another company would run everything from e-mail to word processing to complex data analysis programs. It's called cloud computing, and it could change the entire computer industry. In a cloud computing system, there's a significant workload shift. Local computers no longer have to do all the heavy lifting when it comes to running applications. The network of computers that make up the cloud handles them instead. Hardware and software demands on the user's side
9
decrease. The only thing the user's computer needs to be able to run is the cloud computing system's interface software, which can be as simple as a Web browser, and the cloud's network takes care of the rest. There's a good chance you've already used some form of cloud computing. If you have an e-mail account with a Web-based e-mail service like Hotmail, Yahoo! Mail or Gmail, then you've had some experience with cloud computing. Instead of running an e-mail program on your computer, you log in to a Web e-mail account remotely. The software and storage for your account doesn't exist on your computer -- it's on the service's computer cloud.
SEVEN TECHNICAL SECURITY BENEFITS OF THE CLOUD:
1. CENTRALIZED DATA: •
Reduced Data Leakage: this is the benefit I hear most from Cloud providers - and in my view they are right. How many laptops do we need to lose before we get this? How many backup tapes? The data “landmines” of today could be greatly reduced by the Cloud as thin client technology becomes prevalent. Small, temporary caches on handheld devices or Netbook computers pose less risk than transporting data buckets in the form of laptops.
10
Ask the CISO of any large company if all laptops have company ‘mandated’ controls consistently applied; e.g. full disk encryption. You’ll see the answer by looking at the whites of their eyes. Despite best efforts around asset management and endpoint security we continue to see embarrassing and disturbing misses. And what about SMBs? How many use encryption for sensitive data, or even have a data classification policy in place? •
Monitoring benefits: central storage is easier to control and monitor. The flipside is the nightmare scenario of comprehensive data theft. However, I would rather spend my time as a security professional figuring out smart ways to protect and monitor access to data stored in one place (with the benefit of situational advantage) than trying to figure out all the places where the company data resides across a myriad of thick clients! You can get the benefits of Thin Clients today but Cloud Storage provides a way to centralize the data faster and potentially cheaper. The logistical challenge today is getting Terabytes of data to the Cloud in the first place.
2. •
INCIDENT RESPONSE / FORENSICS: Forensic readiness: with Infrastructure as a Service (IaaS) providers, I can build a dedicated forensic server in the same Cloud as my company and place it offline, ready for use when needed. I would only need pay for storage until an incident happens and I need to bring it online. I don’t need to call someone to bring it online or install some kind of remote boot software - I just click a button in the Cloud Providers web interface. If I have multiple incident responders, I can give them a copy of the VM so we can distribute the forensic workload based on the job at hand or as new sources of evidence arise and need analysis. To fully realise this benefit, commercial forensic software vendors would need to move away from archaic, physical dongle based licensing schemes to a network licensing model.
•
Decrease evidence acquisition time: if a server in the Cloud gets compromised (i.e.
11
broken into), I can now clone that server at the click of a mouse and make the cloned disks instantly available to my Cloud Forensics server. I didn’t need to “find” storage or have it “ready, waiting and unused” - its just there. •
•
•
•
Eliminate or reduce service downtime: Note that in the above scenario I didn’t have to go tell the COO that the system needs to be taken offline for hours whilst I dig around in the RAID Array hoping that my physical acqusition toolkit is compatible (and that the version of RAID firmware isn’t supported by my forensic software). Abstracting the hardware removes a barrier to even doing forensics in some situations. Decrease evidence transfer time: In the same Cloud, bit fot bit copies are super fast - made faster by that replicated, distributed file system my Cloud provider engineered for me. From a network traffic perspective, it may even be free to make the copy in the same Cloud. Without the Cloud, I would have to a lot of time consuming and expensive provisioning of physical devices. I only pay for the storage as long as I need the evidence. Eliminate forensic image verification time: Some Cloud Storage implementations expose a cryptographic checksum or hash. For example, Amazon S3 generates an MD5 hash automagically when you store an object. In theory you no longer need to generate time-consuming MD5 checksums using external tools - it’s already there. Decrease time to access protected documents: Immense CPU power opens some doors. Did the suspect password protect a document that is relevant to the investigation? You can now test a wider range of candidate passwords in less time to speed investigations.
3. PASSWORD ASSURANCE TESTING (AKA CRACKING): • •
Decrease password cracking time: if your organization regularly tests password strength by running password crackers you can use Cloud Compute to decrease crack time and you only pay for what you use. Ironically, your cracking costs go up as people choose better passwords ;-). Keep cracking activities to dedicated machines: if today you use a distributed password cracker to spread the load across non-production machines, you can now put those agents in dedicated Compute instances and thus stop mixing sensitive credentials with other workloads.
4. LOGGING: • • •
“Unlimited”, pay per drink storage: logging is often an afterthought, consequently insufficient disk space is allocated and logging is either non-existant or minimal. Cloud Storage changes all this - no more ‘guessing’ how much storage you need for standard logs. Improve log indexing and search: with your logs in the Cloud you can leverage Cloud Compute to index those logs in real-time and get the benefit of instant search results. What is different here? The Compute instances can be plumbed in and scale as needed based on the logging load - meaning a true real-time view. Getting compliant with Extended logging: most modern operating systems offer extended logging in the form of a C2 audit trail. This is rarely enabled for fear of performance degradation and log size. Now you can ‘opt-in’ easily - if you are willing to pay for the enhanced logging, you can do so. Granular logging makes compliance and investigations easier.
5. IMPROVE THE STATE OF SECURITY SOFTWARE (PERFORMANCE): •
Drive vendors to create more efficient security software: Billable CPU cycles get noticed. More attention will be paid to inefficient processes; e.g. poorly tuned security agents. Process accounting will make a comeback as customers target ‘expensive’ processes. Security vendors that understand how to squeeze the most performance from their software will win.
12
6. SECURE BUILDS: •
• •
Pre-hardened, change control builds: this is primarily a benefit of virtualization based Cloud Computing. Now you get a chance to start ’secure’ (by your own definition) - you create your Gold Image VM and clone away. There are ways to do this today with bare-metal OS installs but frequently these require additional 3rd party tools, are time consuming to clone or add yet another agent to each endpoint. Reduce exposure through patching offline: Gold images can be kept up securely kept up to date. Offline VMs can be conveniently patched “off” the network. Easier to test impact of security changes: this is a big one. Spin up a copy of your production environment, implement a security change and test the impact at low cost, with minimal startup time. This is a big deal and removes a major barrier to ‘doing’ security in production environments.
7. SECURITY TESTING: •
Reduce cost of testing security: a SaaS provider only passes on a portion of their security testing costs. By sharing the same application as a service, you don’t foot the expensive security code review and/or penetration test. Even with Platform as a Service (PaaS) where your developers get to write code, there are potential cost economies of scale (particularly around use of code scanning tools that sweep source code for security weaknesses).
Adoption fears and strategic innovation opportunities Adoption-fears Security: Many IT executives make decisions based on the perceived security risk instead of the real security risk. IT has traditionally feared the loss of control for SaaS deployments based on an assumption that if you cannot control something it must be unsecured. I recall the anxiety about the web services deployment where people got really worked up on the security of web services because the users could invoke an internal business process from outside of a firewall. The IT will have to get used to the idea of software being delivered outside from a firewall that gets meshed up with on-premise software before it reaches the end user. The intranet, extranet, DMZ, and the internet boundaries have started to blur and this indeed imposes some serious security challenges such as relying on a cloud vendor for the physical and logical security of the data, authenticating users across firewalls by relying on vendor's authentication schemes etc., but assuming challenges as fears is not a smart strategy. Latency: Just because something runs on a cloud it does not mean it has latency. My opinion is quite the opposite. The cloud computing if done properly has opportunities to reduce latency based on its architectural advantages such as massively parallel processing capabilities and distributed computing. The web-based applications in early days went through the same perception issues and now people don't worry about latency while shopping at Amazon.com or editing a document on Google docs served to them over a cloud. The cloud is going to get better and better and the IT has no strategic advantages to own and maintain the data centers. In fact the data centers are easy to shut down but the applications are not and the CIOs should take any and all opportunities that they get to move the data centers away if they can. SLA: Recent Amazon EC2 meltdown and RIM's network outage created a debate around the availability of a highly centralized infrastructure and their SLAs. The real problem is not a bad SLA but lack of one. The IT needs a phone number that they can call in an unexpected event and have an up front estimate about the downtime to manage the expectations. May be I am simplifying it too much but this is the crux of the situation. The fear is not so much about 24x7 availability since an on-premise system hardly promises that but what bothers IT the most is inability to quantify the impact on business in an event of non-availability of a system and set and manage expectations upstream and downstream. The non-existent SLA is a real issue and I believe there is a great service innovation opportunity for ISVs and partners to help CIOs with the adoption of the cloud computing by providing a rock solid SLA and transparency into the defect resolution process.
13
Strategic innovation opportunities Seamless infrastructure virtualization: If you have ever attempted to connect to Second Life behind the firewall you would know that it requires punching few holes into the firewall to let certain unique transports pass through and that's not a viable option in many cases. This is an intra-infrastructure communication challenge. I am glad to see IBM's attempt to create a virtual cloud inside firewall to deploy some of the regions of the Second Life with seamless navigation in and out of the firewall. This is a great example of a single sign on that extends beyond the network and hardware virtualization to form infrastructure virtualization with seamless security. Hybrid systems: The IBM example also illustrates the potential of a hybrid system that combines an on-premise system with remote infrastructure to support seamless cloud computing. This could be a great start for many organizations that are on the bottom of the S curve of cloud computing adoption. Organizations should consider pushing non-critical applications on a cloud with loose integration with on-premise systems to begin the cloud computing journey and as the cloud infrastructure matures and some concerns are alleviated IT could consider pushing more and more applications on the cloud. Google App Engine for cloud computing is a good example to start creating applications on-premise that can eventually run on Google's cloud and Amazon's AMI is expanding day-by-day to allow people to push their applications on Amazon's cloud. Here is a quick comparison of Google and Amazon in their cloud computing efforts. Elastra's solution to deploy EnterpriseDB on the cloud is also a good example of how organizations can outsource IT on the cloud.
Will cloud computing transform IT? Technology allows access to seemingly limitless power, storage
For a business, the electricity that flows from an outlet seems endless. And water will stream out of the tap without worry -- businesses pay only for what they use. But computing power hasn't been so seamless. Data storage hardware can accept only a finite number of bytes. When businesses enter into monthlong server contracts, it takes days to add more capacity. If usage surpasses a server's capacity, it will crash. Cloud computing, the super-hyped tech term of the moment, aims to change that. Cloud computing, utility computing, Web 3.0 and grid computing are all jargon to describe a simple concept: Access to seemingly limitless computing power and storage space via the Internet. If you use Google's Gmail service for e-mail, you've touched the cloud. As of Monday, millions of Gmail users had 7,045 free megabytes of e-mail space each -- more than enough to store more than 7 million plain text e-mails. That's the triumph of cloud computing. The downside, however, was illustrated one day last week when Gmail suffered an outage, and millions temporarily ost laccess to their e-mails.
14
'Incredible transformation' Increasingly, big firms are launching into "the cloud" to sell services, while small firms plug in, waving goodbye to the server hidden in the closet. "The future is about having a platform in the cloud," Microsoft Chief Steve Ballmer said of the trend in a July e-mail to employees. The company has invested heavily in new products that will be announced in upcoming months. About four years ago, Seattle-based Amazon.com Inc. began hatching a way to sell access to its complex computer systems. The company had already built up a robust infrastructure to support the world's largest online retail operation -- so why not let other businesses tap in? Amazon launched its Web Services in 2006, and more than 400,000 developers have signed on to pay for services such as storage space, database access and computing power. "Over the next decade you are going to see an incredible transformation, in my opinion," Amazon Chief Executive Jeff Bezos told shareholders earlier this year. "It doesn't really make sense for most companies to have their own data centers, just as it doesn't make sense for most companies to produce their own electric power." Examples of businesses that rely on Amazon are Twitter and even The New York Times, which uses Amazon to partly host its "TimesMachine," the newspaper's archives, including full-page image scans of papers going back to the 1800s. Amazon's price for Web services starts in the pennies -- to use its Elastic Compute Cloud, for instance, Amazon charges 10 cents per hour per server. "We routinely send people monthly bills for 17 cents," Bezos said. "If you store a gigabyte of data for a month, we'll send you a bill for 15 cents." Though Web services are still a tiny segment of Amazon's total business, representing less than 3 percent of revenue, in the past year, the bandwidth used by its Web services surpassed the bandwidth needed for Amazon.com's retail operations. "To me, cloud computing conjures up the image of something being very fluid and being very flexible," said Aaron Darcy, one of the product line managers at Red Hat, an open source software provider in Raleigh, N.C. "The benefits of the cloud are not only time-to-market but also pay-as-you go type of model." Information technology budgets at nontech companies are shrinking, Darcy said, forcing IT managers to look into new resources. "It is the trendy thing right now," he said. It also has bigger implications for business innovation. Using Salesforce.com's free service, for example, any developer with a computer and an Internet connection can build a business application without a dime. This sort of ability could be as disruptive a force in society as the printing press or the spread of technology, said Paul McNamara, chief executive of Coghead Inc., a California software company that helps programmers to build applications in the cloud. "History shows us that the most disruptive and market changing technologies are ones that enable a broad class of people to do what, previously, only an elite class could do," he said. Clouds of different shapes
15
No two clouds are the same -- Google's cloud offerings look different from Amazon's, which differ from AT&T's, and so on. Microsoft's cloud computing strategy is still under wraps -- the company hasn't shared any details publicly, but plans to unveil its strategy in the coming months. Executives' recent comments suggest that Microsoft will soon offer businesses a way to launch applications using Microsoft's infrastructure. Speaking on the topic last month, Microsoft Chief Technology Officer Ray Ozzie told financial analysts, "I think it is a very, very significant transformation. The simplest way that I would explain it to my neighbor who isn't in the industry is that, you know, there's a computer on the desktop. ... There's that computer in the data center, you know, that you walk by in your company. But there's a new computer that is available up in the cloud, and it is going to be transformational in terms of how people write and build solutions once they can assume that they can leverage that resource up there." Microsoft has already been described as a player in the "cloud computing" arena. But Microsoft's current offerings differ from Amazon's in many ways. The Redmond company began selling pay-as-you-go storage space in 2008, in the form of SQL Server Data Services, but does not yet sell pay-as-you-go computing power. Microsoft is investing in data centers for a full-scale blowout of cloud computing offerings in 2009. Microsoft also offers free Internet software services via its Windows operating system. Such free services -- another iteration of "cloud computing" -- include Windows Live's SkyDrive, which is online file storage for individuals, and Photo Gallery, which lets people share photos and videos. This aspect of cloud computing is also shared by Salesforce.com and Google, both major players in the sector. Google Apps, which includes online word processing and spreadsheets, is now sold to businesses. And Google App Engine lets developers build Web applications using Google's systems. The list of companies trying to get in on the action reads like a who's who of technology firms. IBM has been ramping up and taking its offerings to businesses around the globe, most recently launching two new "cloud centers," in Tokyo and Raleigh, N.C.. In March, the company joined the Industrial Development Agency of Ireland to establish what it calls Europe's first cloud computing center in Dublin. It will focus on research and business development. And Dell is trying to trademark the term "cloud computing." How it works Isn't cloud computing just another word for outsourcing? Sort of, says David Pollock, Seattle-based consultant at Deloitte. "Cloud computing is the next step in outsourcing." The concept of cloud computing began in the late 1990s, with the dot-com boom. But serious adoption began around 2003 and has been growing, particularly in 2008.
16
"Salesforce.com has done more than anybody just because of their willingness to go after the market," said Pollock, who helps clients decide on IT systems. Salesforce.com's clients are larger enterprises rather than startups, said Ariel Kelman, a senior director at Salesforce.com, based in San Francisco. "The big difference is that cloud computing is a much simpler approach that is easier for people to get from idea to application in a shorter period of time," he said. "The complexity is removed. There's no need to think about software and versions. ... Things don't break as often. ... The whole goal of cloud computing is to make business applications as easy as buying a book on Amazon.com." More partnerships will have to be formed to allow different functions to be integrated, Kelman said. That's why SalesForce has partnered with Google to offer Google Apps with its services. Cloud computing, of course, isn't fluffy. It depends on giant deployments of hundreds of thousands of servers -pushing the limits on power and efficiency. Backups are not at one site far away, but at multiple sites, said Geoffrey Noer, senior director of product management at Rackable Systems in Fremont, Calif., which installs farms of computer servers for large companies including Yahoo and Google. Cloud computing has increased demand for his company's services. "One of the big trends in cloud computing is not to make any one server super robust or super redundant but to handle redundancy through software," Noer said. "If a single server goes down, or a rack or a whole data center goes down, another one picks up."
Rain on the cloud's parade Cloud computing, or whatever it ends up being called, still faces major obstacles. First is reliability. When one of Amazon's Web services went down recently, users had no access to their files for more than six hours. Another is security, experts say. Before adopting cloud computing as a solution, companies must ask themselves, "How much of your information do you really want hosted off-site?" Deloitte's Pollock said. "That's a thorny little question that has to be addressed. In order for cloud computing to work, your data has to be stored off of your premises." Companies are already working to address problems. San Francisco-based Hyperic Inc. has developed cloudmonitoring software, for example, to help companies deal with outages. "As the industry solves both of those (reliability and security), I think we're going to see massive, massive scale out in the cloud," said Stacey Schneider, senior marketing director at Hyperic. "Even if it's a wild success today, it's going to blow your mind in the next two to three years. "People are going to have to deal with the fact that the cloud is here to stay."
17
Software via the Internet: Microsoft in ‘Cloud’ Computing
.
18
In 1995, Microsoft added a free Web browser to its operating system in an attempt to fend off new rivals, an effort ultimately blocked by the courts. This week, it plans to turn that strategy upside down, making available free software that connects its Windows operating system to software services delivered on the Internet, a practice increasingly referred to as “cloud” computing. The initiative is part of an effort to connect Windows more seamlessly to a growing array of Internet services. The strategy is a major departure for Microsoft, which primarily sells packaged software for personal computers. With this new approach, Microsoft hopes to shield its hundreds of millions of software customers from competitors like Google and Salesforce.com, which already offer software applications through the Internet. Microsoft’s new Windows Live software suite includes an updated electronic mail program, a photo-sharing application and a writing tool designed for people who keep Web logs. The new service is an indication that Microsoft plans to compete head-on against archrival Google and others, and not only in the search-engine business where it is at a significant disadvantage. Instead, Microsoft will try to outmaneuver its challengers by becoming the dominant digital curator of all a user’s information, whether it is stored on a PC, a mobile device or on the Internet, industry executives and analysts said. Millions of PC users already rely on Web applications that either provide a service or store data. For instance, Yahoo and Google do their own forms of cloud computing, offering popular e-mail programs and photo-sharing
19
sites that are accessible through a Web browser. The photos or the e-mail messages are stored on those companies’ servers. The data is accessible from any PC anywhere. Hundreds of companies in Silicon Valley are offering every imaginable service, from writing tools to elaborate dating and social networking systems, all of which require only a Web browser and each potentially undermining Microsoft’s desktop monopoly. Google, the most visible example, took cloud computing a step further last October and directly challenged Microsoft by offering a suite of free word-processing and spreadsheet software over a browser. “To the extent that the industry is moving toward an on-demand business model, it poses a threat to Microsoft,” said Kenneth Wasch, president of the Software and Information Industry Association and a longtime Microsoft adversary. Microsoft is a late entrant to a set of businesses that are largely defined as Web 2.0, but the company is counting on its ability to exploit its vast installed base of more than one billion Windows-based personal computers. It plans to give away some of its services, like photo-sharing and disk storage, while charging for others like its computer security service and a series of business-oriented services aimed at small and medium-size organizations. “I think Microsoft is going beyond search to a more sophisticated set of services,” said Shane Robison, executive vice president and chief strategy and technology officer at Hewlett-Packard. “It will be a race, and who knows who will get there first?” Brian Hall, general manager for Microsoft’s Windows Live services, said, “We’re taking the communications and sharing components and creating a set of services that become what we believe is the one suite of services and applications for personal and community use across the PC, the Web and the phone.” He said the software would be the first full release of Windows Live that is intended to produce a “relatively seamless” experience between the different services and applications. The Windows Live service — which will be found at www.live.com — includes new versions of the company’s Hotmail and Messenger communications services as well as Internet storage components. Microsoft executives said there were roughly 300 million active users each on the Hotmail and Messenger services, with some overlap. The software release will offer PC users the option of downloading a set of the services with a single Unified Installer program, or as separate components. The individual services are Windows Live Photo Gallery, Windows Live Mail, Windows Live Messenger 8.5 and Windows Live OneCare Family Safety, a computer security program.
20
The release, though it includes the Windows Live Writer blogging application, carefully avoids cannibalizing two of Microsoft’s mainstays, the Word and Excel programs. Windows Live services also underscore Microsoft’s desire to become the manager for a user’s data wherever it is located. Although they will not be included in the initial test release, the company’s recently announced SkyDrive online data storage service and its FolderShare service are being folded into Windows Live. SkyDrive currently gives test users 500 megabytes of free Internet storage, while FolderShare makes it possible to synchronize between multiple computers — including Apple’s Macintosh computers. “When you think storage, think Windows Live,” Bill Gates said in an interview this summer. Microsoft is moving to create an experience that will divorce a user’s information from the particular device the person is working with at any moment, he said. Microsoft’s new approach is in many ways a mirror image of the strategy used during the 1990s in defeating Netscape Communications when the start-up threatened Microsoft’s desktop dominance. Microsoft tried to tie the Internet to Windows by bundling its Internet Explorer Web browser as an integral part of its desktop operating system. The company lost an antitrust lawsuit in 2000 brought by the Justice Department in response to this bundling strategy. Today, that strategy has been flipped with the growing array of Web services that are connected to Windows. But the new approach, which the company refers to as “software plus services,” is once again beginning to draw industry charges of unfair competition from competitors. To head off that challenge, Microsoft has been participating in various international organizations that are setting standards over a wide range of services: from those aimed at consumers, like blog-editing and photo-sharing applications, to automated business processes like Web-based customer relationship management systems for sales staff and automatic ordering and logistics applications. Last week, for example, Microsoft executives were put on the defensive after the company’s efforts to gain international adoption for a Microsoft-designed document format known as Office Open XML, led to charges of vote-buying in an international standards vote in Sweden. After the charges received international publicity during the week, the Swedish Standards Institute reversed its position and decided to abstain on the issue, and a Microsoft executive apologized publicly for the gaffe. On Wednesday, Jason Matusow, Microsoft’s senior director for intellectual property and interoperability, wrote on his Web site: “I understand the concern raised by this error in judgment by an MS employee. The only thing I can
21
say is that the right things were done as the issue was identified. The process and vote at S.I.S. were not affected.” Microsoft did not specify what actually had transpired. While the industry dispute over document formats was visible last week, several Microsoft competitors were quietly pointing to another standards issue that may prove to be a significant advantage for software giant in the future. A set of Web services standards that have emerged from the World Wide Web Consortium might give Microsoft a performance advantage, according to industry executives at three companies, who declined to be identified because they are Microsoft business partners. Microsoft’s standards efforts have angered its competitors because four years ago the software publisher argued publicly against adding compression features that are designed to improve performance to industry Web services standards. Now, however, Microsoft has developed its own compression standards that will potentially make its versions of Web services perform better than those of their competitors. “They’re playing the game right,” said a rival. “The idea is to offer a solution that works better in an all-Microsoft environment.” On Friday, a spokesman for Microsoft said that services that take advantage of the Web standards effort like Silverlight, a new system for displaying multimedia content via a Web browser that competes with Adobe’s Flash media player, would not be included in the first release of Windows Live, but would be added in the future.
Opportunities and Challenges The use of the cloud provides a number of opportunities: • It enables services to be used without any understanding of their infrastructure. • Cloud computing works using economies of scale. It lowers the outlay expense for start up companies, as they would no longer need to buy their own software or servers. Cost would be by on-demand pricing. Vendors and Service providers claim costs by establishing an ongoing revenue stream. • Data and services are stored remotely but accessible from ‘anywhere’. In parallel there has been backlash against cloud computing: • Use of cloud computing means dependence on others and that could possibly limit flexibility and innovation. The ‘others’ are likely become the bigger Internet companies like Google and IBM who may monopolise the market. Some argue that this use of supercomputers is a return to the time of mainframe computing that the PC was a reaction against. • Security could prove to be a big issue. It is still unclear how safe outsourced data is and when using these services ownership of data is not always clear. • There are also issues relating to policy and access. If your data is stored abroad whose FOI policy do you adhere to? What happens if the remote server goes down? How will you then access files? There have been cases of users being locked out of accounts and losing access to data.
22
Benefits: Cloud computing infrastructures can allow enterprises to achieve more efficient use of their IT Hardware and software investments. They do this by breaking down the physical inherent in isolated systems, and automating the management of the group of systems as a single entity. Cloud computing is an example of an ultimately virtualized system, and a natural evolution for Data centers that employ automated systems management, workload balancing, and virtualization technologies. A cloud infrastructure can be a cost efficient model for delivering information services
Application: A cloud application leverages cloud computing in software architecture, often eliminating the need to install and run the application on the customer's own computer, thus alleviating the burden of software maintenance, ongoing operation, and support. For example: • • • • • • o o
Peer-to-peer / volunteer computing (BOINC, Skype) Web applications (Webmail, Facebook, Twitter, YouTube, Yammer) Security as a service (MessageLabs, Purewire, ScanSafe, Zscaler) Software as a service (Google Apps, Salesforce,Nivio,Learn.com, Zoho, BigGyan.com) Software plus services (Microsoft Online Services) Storage [Distributed] Content distribution (BitTorrent, Amazon CloudFront) Synchronisation (Dropbox, Live Mesh, SpiderOak, ZumoDrive
Conclusion: In my view, there are some strong technical security arguments in favour of Cloud Computing - assuming we can find ways to manage the risks. With this new paradigm come challenges and opportunities. The challenges are getting plenty of attention - I’m regularly afforded the opportunity to comment on them, plus obviously I cover them on this blog. However, lets not lose sight of the potential upside. Some benefits depend on the Cloud service used and therefore do not apply across the board. For example; I see no solid forensic benefits with SaaS. Also, for space reasons, I’m purposely not including the ‘flip side’ to these benefits, however if you read this blog regularly you should recognise some.
23
We believe the Cloud offers Small and Medium Businesses major potential security benefits. Frequently SMBs struggle with limited or non-existent in-house INFOSEC resources and budgets. The caveat is that the Cloud market is still very new - security offerings are somewhat foggy - making selection tricky. Clearly, not all Cloud providers will offer the same security.
Appendix A – Deployment Model Matrix Private Cloud: The cloud infrastructure is owned or leased by a single organization and is operated solely for that organization. Community Cloud: (The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. mission, security requirements, policy, and compliance considerations) Hybrid Cloud: The cloud infrastructure is a composition of two or more clouds (internal, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting)
Publ icClo ud
Hybr id Cl oud
Com mun ity C loud
Priva teClo ud
Public Cloud: Cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group)
X X X X X X
X
X
X
X
X X X X X X X X X X X X X X X X
X X X X X X X X X X X X X
X X X X X X X X X X X
X X X X X X X
X X X X X X X X
X X X X
X X
X X X
InfrastructureLocation On-Premise (Internal or behindthe firewall) Off-Premise (external or outside the firewall) OperationsModel (responsible partyfor applyingthe securitycontrols, patching, etc) Service Provider Operated Government Operated Third Party Vendor Operated GovernanceModel (Responsible party for ensuringcompliance to policies and standards, etc) Service Provider Government Third Party Vendor DataSecurityLevel Low Moderate High Cost Model Upfront Capital expenditure Ongoingsupport cost Demand basedService fee Timetodeploy Immediate Mid term Longterm AccessibleandConsumedBy AdminUsers TrustedConsumers(Employees, Contractors) Public Consumers(Authorized to consume services but not legally a part of the organization/Government) ServiceTypes Citizen Engagement Services Software-as-a-Service (SaaS) Platform-as-s-Service(PaaS) Infrastructure-as-a-Service (IaaS) Traditional hostingServices
X X X X
Service provider owned Government owned Third Party Vendor owned
X X
InfrastructureOwnershipModel (Ownership of Physical infrastructure such as facilities, network,, compute and storage)
24
Appendix B – Hybrid Cloud Concept Model
25
Appendix C – Cloud Computing Definition Definition Cloud computing is a pay-per-use model for enabling available, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is comprised of five key characteristics, three delivery models, and four deployment models. Key Characteristics: On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed without requiring human interaction with each service's provider. Ubiquitous network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs). Location independent resource pooling. The provider's computing resources are pooled to serve all consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. The customer generally has no control or knowledge over the exact location of the provided resources. Examples of resources include storage, processing, memory, network bandwidth, and virtual machines. Rapid elasticity. Capabilities can be rapidly and elastically provisioned to quickly scale up and rapidly released to quickly scale down. To the consumer, the capabilities available for rent often appear to be infinite and can be purchased in any quantity at any time. Pay per use. Capabilities are charged using a metered, fee-for-service, or advertising based billing model to promote optimization of resource use. Examples are measuring the storage, bandwidth, and computing resources consumed and charging for the number of active user accounts per month. Clouds within an organization accrue cost between business units and may or may not use actual currency. Note: Cloud software takes full advantage of the cloud paradigm by being service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability. Delivery Models Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure and accessible from various client devices through a thin client interface such as a Web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings. Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created applications using programming languages and tools supported by the provider (e.g., java, python, .Net). The consumer does not manage or control the underlying cloud infrastructure, network, servers, operating systems, or storage, but the consumer has control over the deployed applications and possibly application hosting environment configurations.
26
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to rent processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly select networking components (e.g., firewalls, load balancers). Deployment Models Private cloud. The cloud infrastructure is owned or leased by a single organization and is operated solely for that organization. Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). Public cloud. The cloud infrastructure is owned by an organization selling cloud services to the general public or to a large industry group. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (internal, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting). Each deployment model instance has one of two types: internal or external. Internal clouds reside within an organizations network security perimeter and external clouds reside outside the same perimeter. Note 1: Cloud computing is still an evolving paradigm. Its definitions, use cases, underlying technologies, issues, risks, and benefits will be refined in a spirited debate by the public and private sectors. These definitions, attributes, and characteristics will evolve and change over time. Note 2: The cloud computing industry represents a large ecosystem of many models, vendors, and market niches. This definition attempts to encompass all of the various cloud approaches.
27
Bibliography:
Web guild.org
http://www.webguild.org/ How stuff works.com http://communication.howstuffworks.com/ Cloud security.org http://cloudsecurity.org IBM http://www.ibm.com/developerworks/websphere/zones/hipods/ Google suggest http://www.google.com/webhp?complete=1&hl=en Software as a service, Wikipedia, http://en.wikipedia.org/wiki/Software_as_a_service
Welcome to the Data Cloud, The Semantic Web blog, 6 Oct 2008, http://blogs.zdnet.com/semantic-web/?p=205
Any any old data, Paul Walk’s blog, 7 Oct 2008, http://blog.paulwalk.net/2008/10/07/any-any-any-old-data/
Seattle post intelligence http://seattlepi.nwsource.com/business/375501_cloudcomputing19.html
28
29
View more...
Comments