We talk to Bryan Doerr, CTO, Savvis Inc. on how a business can best protect its cloud computing investment
Analysts and vendors may say that cloud computing has moved beyond hype but are businesses ready for adoption? What has been holding up adoption till now? What are the compelling business and technical arguments (if any) for adoption? What would a complete solution look like?
There are a number of converging factors that have given rise to cloud computing’s emergence as a new IT service delivery option.
1. Today’s shared hosting platform economics reflect continued resource infusion at the compute processor, memory, and bandwidth levels. Without this expanded capacity, the abstraction levels necessary to effectively isolate customers wouldn’t be possible
2. The increased adoption of virtualization technologies, service-oriented architectures (SOAs), and ubiquitous computing standards have expanded the availability of lower-cost and massively scalable computing-related services (Gartner)
3. The ability to develop and deploy feature-rich user interfaces
4. The capability to distribute access and quickly connect to hardware and software at a low cost usually using Internet-based access
Adoption has been cautious because while cloud computing is a simple model, it requires a great deal of consideration on the part of the enterprise. In our conversations with IT executives, the words may differ, but there is a unifying thread regarding the decision to outsource IT functions; specifically that the service provider will not deliver as expected. This limits adoption of what is otherwise a clear choice when viewed from an organizational core competency perspective.
In short, outsourcing infrastructure makes sense, but only when IT executives envision compelling, tangible rewards that far outweigh perceived risks.
In terms of security, how do you work with customers to prevent potential unauthorized access, inappropriate use and loss of control of proprietary corporate information and applications? Who is and should be responsible for corporate policy distribution, management and control?
Savvis works closely with our customers to define the access, authorization, and authentication controls they require. Savvis provides a user interface to enhance our customer’ visibility to the controls they are interested in reporting against. In addition, Savvis supports Group Policy and Fine Grain Entitlements to enable authorized access and log any attempts at unauthorized access.
There are security challenges in cloud-based infrastructures. Conventional infrastructure security controls designed for dedicated hardware do not map well to virtualized environments. To address these challenges, virtual infrastructure architectures must have well-defined security policies and procedures in place. Additionally, although they will never be identical to existing dedicated security controls, there must be compatibility between the technology advances in security protections specifically designed for virtualized environments and traditional controls.
When considering cloud-based infrastructure, understanding the technology and process issues contribute to the challenges of effectively mitigating risk. Two main technology challenges are security attacks designed to exploit a hypervisor and security attacks targeted towards other virtual machines that reside on the same physical host. The lifecycle of the VM and its changes in state as it moves through the environment is important to understand. VMs can be on, off, or suspended. VMs can also be unallocated in storage, with no state associated with them. It is important to continually assess a VM’s vulnerabilities and apply updated security patches to VMs that are off, suspended, and unallocated.
In addition, virtualized environments may provide limited visibility to inter-VM traffic flows. These traffic flows are not visible to traditional network-based security protection devices, such as the network-based intrusion prevention systems (IPSs) located in the data center network. A virtualized IPS solution, integrated with the hypervisor, could prevent direct communication between hosted partitions within the virtual server. One way to secure the virtual infrastructure is to require virtualized security capabilities be inline with the virtual network and between the guest operating systems to provide visibility and protection against attack. The challenge is that signature, filters, and rule updates are needed for offline VMs. In addition, VMs should be protected from tampering while VMs are in motion.
Process challenges must also be addressed, including defining separate administration of server configurations from the administration of network, security, and storage configurations and addressingVM sprawl, or the situation where the number of VMs being created is growing more quickly than an enterprise’s ability to control the overall environment.
Both provider and customer dimensions must be considered when designing access control requirements. Responsibility lies with the customer for all customer specific controls. For infrastructure controls (Firewall, Intrusion Detection, Security Policy, OS Hardening) Savvis works with our customers to understand their requirements and define measurable controls.
How do you address performance issues? Quality-of-service commitments and service-level agreements from cloud computing vendors may not meet corporate availability, legal, budgetary and insurance requirements. Who is responsible for loss of revenue/profits from a significant cloud-computing outage, high network load or insufficient bandwidth access as a result of a denial of service?
Obviously the relationship needs to begin with trust and honesty between customer and provider. We work closely with customers to map out their needs and provide measurement points to ensure confidence in the provided services.
With Savvis’ open cloud environment, all critical pieces of the infrastructure are considered. Savvis does not oversubscribe the compute environment and we offer 99.9% availability which covers:
1 Instance availability
2 Connectivity to the instance
3 Virtualization Operating System
4 Instance Operating System
5 Access to the Utility Storage service
6 Power in the data center
When it comes to application/software management, it is exceedingly difficult to manage and administer a virtualized corporate IT environment. It may be impossible or impractical to attempt to manage the cloud. What tools exist for the buyer to monitor and manage multiple cloud-computing vendors and their products?
There are currently no industry standards for cloud computing. As a leader in this space, Savvis has joined the Distributed Management Task Force (DTMF), the industry organization leading the development, adoption and promotion of interoperable management standards and initiatives Savvis Dedicated Cloud Compute delivers a fully dedicated virtualized compute environment hosted from our state-of-the-art data centers and managed by our hosting professionals.
Using virtualization technology powered by VMware, the Savvis Dedicated Cloud Compute solution can be partitioned into multiple self-contained virtual machines, each capable of running its own operating system and set of applications, dramatically reducing the high cost and management hassles associated with server sprawl.
Once deployed, customers can easily add instances automatically through the SavvisStation Portal. The API interface offers customer the ability to integrate SavvisStation information into customer’s management tools. Whether you're supporting seasonal site traffic on your web site, or expanding your test and development environments, Savvis Dedicated Cloud Compute can dramatically improve operational efficiencies while reducing the total cost of ownership (TCO) of having an enterprise-class environment dedicated to your needs.
Is there any way for a business to address governance and regulatory compliance? Outsourcing of any services brings into question oversight and cloud-computing vendor procedures, processes, internal tools and third-party auditor access. What vendor-supplied software tools exist for the buyer to provide for cloud-computing vendor governance and regulatory compliance?
This question transcends cloud computing and brings to light several areas that businesses need to consider when they investigate managed service types and vendors of managed services; however, first the business needs to understand their compliance requirements on an application-by-application basis. Armed with this information, vendor practices can be considered. Savvis works closely with its clients to help them understand how their compliance responsibilities are allocated across the environment. This area continues to evolve in the managed services industry.
Where cloud computing is concerned the regulatory challenges are amplified by the issues of virtualization and shared platforms, some of which were identified in Question 2. These challenges will be addressed with maturity in the cloud computing offerings and through vendors that deeply understand how to apply proven practices from traditional environments to cloud services.
In terms of finance, the classical issue of a variable vs. fixed-cost management seems to be still around. Finance departments demand budgets to be projected with accuracy, committed to as part of a financial allocation plan and managed with continual diligence and oversight. How do you control IT costs in a services and cloud-computing utility billing model, and when should a cloud-computing variable cost be converted to an internal IT fixed cost?
In terms of managing costs, cloud computing offers customer the ability to dial up and dial down their IT costs according to the needs on a month to month basis. This is far more control over IT costs then has ever been available before.
Here are 3 examples:
1 A web promotion company constantly runs web promotions on a month to month basis for different clients. With cloud computing, the company can use cloud services to support that jump in usage and bill it back to its customer accurately.
2 Similarly, SaaS (software as a service) vendors can benefit from cloud services through the flexibility to conduct customer trials, without the need to buy the infrastructure (e.g., for a CRM trial). In fact for SAAS vendors, the use of cloud computing could speed up their time to market from 30 days to a few hours.
3 Lastly, for companies who run large testing and development environments, cloud compute allows them to address multiple pain points – giving them the capacity to run different pieces of development at the same time, dial up capacity when testing is needed and dial it down when testing is done without a break in normal performance or the need to purchase extra infrastructure.
For the IT manager, what would he need to ensure be in place before, during and after embarking on a cloud computing implementation? Are there things that he should be looking out for? What are the top 3 things you can advise him to keep an eye on in a cloud computing implementation?
IT Managers need to consider price and flexibility as they always have. However, there are more factors to consider when designing infrastructure for IT applications. Infrastructure architects must be mindful of countless requirements affecting infrastructure design and the suitability of services. These include:
1 Application architectural requirements
2 Security design
3 Compliance reporting requirements
4 End-user performance sensitivity and correlation to resource demands
5 Data protection and recovery times and points
6 Capacity planning
7 Uptime requirements
IT Managers need to look for suppliers that:
- Put the cloud into context: No enterprise IT infrastructure can exist purely in a cloud, so one must take into context that your cloud components must combine with other IT resources
- Consider the true cost of the cloud: Hourly billing is attractive to customers but most enterprise requirements can and should be managed on a monthly basis, so hourly billing can sometimes lead to spiraling costs
- Consider the maturity of your provider: Look for a provider that can offer you value beyond just cost reduction
- Security: Is the vendor environment oversubscribed? What are your performance standards? Ask these questions up front to ensure your mission critical applications are protected. What access controls are in place? How is my data integrity maintained.
Will an IT manager be able to determine effectiveness and Productivity returns? How can he show the CIO/CFO ROI or other measurable on an investment in cloud computing?
IT decision makers who think most creatively about how to leverage cloud today are examining how their cost, control, and end-user experience metrics will benefit from various types of cloud offerings — often in combination with traditional managed services — and are starting to experiment with these options. Clearly, by viewing IT as a strategic tool, these executives recognize that to maneuver for competitive advantage in today’s rough economic currents, testing the cloud waters is a necessity rather than a luxury.