The Virtualization Practice

Cloud Computing

Cloud Computing focuses upon how to construct, secure, manage, monitor and use public IaaS, PaaS, and SaaS clouds. Major areas of focus include barriers to cloud adoption, progress on the part of cloud vendors in removing those barriers, where the line of responsibility is drawn between the cloud vendor and the customer for each of IaaS, PaaS and SaaS clouds, ...
as well as the management tools that are essential to deploy in the cloud, ensure security in the cloud and ensure the performance of applications running in the cloud. Covered vendors include Amazon, VMware, AFORE, CloudSidekick, CloudPhysics, ElasticBox, Hotlink, New Relic, Prelert, Puppet Labs and Virtustream.

Cloud.com had lined itself up with Citrix by using only XenServer in the commercially-licensed version of its IaaS product, and now is being used by Citrix to ensure OpenStack supports XenServer (which it doesn’t at the moment), presumably to keep Red Hat’s KVM under control and VMware out. We’ve also been trawling through the available OpenStack documentation to understand why NASA thinks its cloud is more scalable than Eucalyptus. It seems to be all to do with how the state information is passed amongst the various servers that make up the system. GPL-based Open Core models break down when you move to multi-vendor foundations because the cross-licensing of IPR under GPL immediately infects the recipient codebase, and precludes commercial licensing of the resulting combined work. The result is that the GPL Open Core business model doesn’t work in the same way, and both Eucalyptus and Cloud.com cannot apply their current business model in these multi-vendor foundations. It is a big blow for Eucalyptus. They have turned their biggest potential customer into a massive and credible competitor, built in their own image (only – at least from a PR perspective – much more scalable).

In OpenStack the API is implemented in a separate service which translates external http requests into commands across the internal message bus, and so it looks (on the face of it) possible for someone (preferably Oracle) to implement the Oracle DMTF submission as a separable new API server module without disrupting the OpenStack architecture. In OpenStack the API is implemented in a separate service which translates external HTTP requests into commands across the internal message bus, and so it looks (on the face of it) possible for someone (preferably Oracle) to implement the Oracle DMTF submission as a separable new API server module without disrupting the OpenStack architecture.

The Wall Street Journal had an interesting article on the United States General Services Administration has approved the acquisition of some cloud services for use by the Federal Government including many of the Google Apps such as Gmail, Google Docs, etc. Since these services are for sale as well as freely available this sounds more like an admission that they can be used. Will other governments follow suit? But should they be used? That is really the question.

There are two sides to any government, the classified and the unclassified. These are general terms that quantify how the government can use services. While all services require quite a bit of security, classified utilization requires even more, in many cases what most would consider to be “uber-security” requirements. The types of requirements that impact usability in some way. Can these tools provide adequate security?

Whilst I have been away on vacation, something fairly interesting has happened in the area of Open Source initiatives for Infrastructure as a Service in the form of a new initiative from NASA and Rackspace called OpenStack. You may remember in our last post in this area, we noted that there was a proliferation of offerings in the IaaS space, and it was in the customer’s best interest for there to be effective migrateability (or even mix and match) amongst public and/or private clouds. However, the API standards to support interoperability are proving elusive.

Cloud and hosting providers are aggressively investing in new Intel Xeon servers that can have as many as 32 cores per server (4 processors with 8 cores per server). Some of this investment is in response to current demand for actual capacity from customers. Some of it is investing ahead of the curve so that the cloud vendor is properly positioned when the demand arrives. The growth and the hype in the cloud is such that there is highly likely to be an overbuild of capacity at some point and then a crash and a period of consolidation – just as there was with ASP’s and the .com companies.

When you read books on virtualization, cloud computing, security, or software product sheets a common word that shows up is Policy. Tools often claim to implement Policy, while books urge you to read or write your Policy. But what does Policy imply?

Webster (webster.com) defines policy as:

1 a : prudence or wisdom in the management of affairs b : management or procedure based primarily on material interest
2 a : a definite course or method of action selected from among alternatives and in light of given conditions to guide and determine present and future decisions b : a high-level overall plan embracing the general goals and acceptable procedures especially of a governmental body

When you read policy in product literature and books we are looking at definition number 2 and often a over b. But what does this mean to those who administer and run virtual environments or make use of cloud services?

Microsoft to Bring the Cloud to the Datacenter with Server App-V

Microsoft is bringing its strongest assets – the installed base of its key products in the enterprise, and its library of commercial and custom built applications (and their associated developer communities) along with compelling new technologies like Server App-V to the virtualization and cloud fight. Leveraging Azure and App-V along with these existing enterprise assets makes Microsoft into a much more potentially formidable competitor to VMware than Microsoft is today based solely upon Hyper-V.

During the Virtualization Security Podcast on 6/22, Steve Orrin of Intel and Dennis Morreau of RSA joined us to discuss the impact of Intel Westmere chips built-in Trusted Platform Module (TPM) and Trusted Execution Technology (TXT) on Cloud and Virtualization Security. TPM is not all that new, but TXT’s usage in virtualization security is new. Both together can form a hardware root of trust for the virtual environment.

At the moment however, these technologies are limited to just providing a secure launch of a well known hypervisor within the hardware. As such they have not been extended to the virtual machine. TXT however solves a very important issue that at the time the book VMware vSphere and Virtual Infrastructure Security was written had theoretical solutions, I speak of Blue Pill style attacks. There were rumors of Hyperguard or Guard Hype tools becoming available, but they are only research projects. TXT on the other hand, offers protection from Blue Pill style attacks.