It may look and sound like a duck, but it isn’t
Depending on whom you are speaking with when the topic of cloud computing surfaces you will certainly get a number of different perspectives. As I’ve shared in past writings, cloud computing is generally quantified into one of three buckets: revolutionary, evolutionary, and more of the same. While the first two have merit, it is the last one I feel is a bit short sighted… and here is why.
Many famous and influential people in the IT space have more than once said cloud computing is more of the same and nothing more than a marketing twist on what has been going on for decades.
The interesting thing about Cloud Computing is that we’ve redefined Cloud Computing to include everything that we already do. . . . I don’t understand what we would do differently in the light of Cloud Computing other than change the wording of some of our ads. Larry Ellison, quoted in the Wall Street Journal, September 26, 2008
A lot of people are jumping on the [cloud] bandwagon, but I have not heard two people say the same thing about it. There are multiple definitions out there of “the cloud.” Andy Isherwood, Hewlett-Packard’s Vice President of European Software Sales, quoted in ZDnet News, December 11, 2008
This year's overhyped IT concept is cloud computing. But, hype aside, cloud computing is nothing new. It's the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer. It's what Hotmail and Gmail have been doing all these years, and it's social networking sites, remote backup companies, and remote email filtering companies such as MessageLabs. Any IT outsourcing - network infrastructure, security monitoring, remote hosting - is a form of cloud computing. Bruce Schneier in his blog post titled “Cloud Computing” June 4, 2009
So, right off the bat I’m going against the grain.
I’ll be the first to say that history is littered with cloud-like solutions that seem to be virtually identical to what we’re calling the cloud today. Application Service Providers (ASP) in the 90’s provided a wide range of on-line services ranging from website platforms and back office databases to web services and on-line applications. Take this site for example, my realsecurity.us you’re reading from now. My provider offers me a cornucopia of tools, utilities, software, and a database that I have used to build this site, which sounds a lot like Platform as a Service (PaaS) in cloud vernacular. I vividly recall many years ago when the company I was working for used a core application that was essentially on-line and running on someone else’s servers, which by today’s standard is called Software as a Service (SaaS). The list of comparisons is long, but does that really mean it’s more of the same?
While there are a vast number of old style IT examples that on the surface appear identical to what is being touted as cloud computing, there are a few basic, deeply rooted attributes beneath the surface that fundamentally make cloud computing uniquely different. More importantly what makes cloud computing different is the collision of multiple attributes – some new, some reflective of 1960’s technology - in the post-Internet age.
The first of these attributes should be no surprise: virtualization. Now, before you start bantering on about IBM’s S/370 and other 1972 technology, we have to acknowledge the full spectrum of vitalization today, such as the layering of virtual systems, applications, databases, networks, and network devices, to name a few and the environment that we’re working in. For example, there are virtual system-aware routers and switches, virtual environment management platforms, and the fact that much of the system base is off-the-shelf server platforms. This isn’t a huge mainframe or an S/390, it is hundreds of traditional servers spread across multiple locations acting as a unified resource pool. Although virtualization of the 70’s and 80’s did have networking elements, today’s virtualization can encompass the network to create virtualized networks and virtual networking systems, such as firewalls, routers, IDS, and just about anything that can be codified. I will be the first to admit that one dominant development in today’s virtualization – the creation of Hypervisor technology into the chipset – is very reflective of old school models that we’re built into the processor, but upper layer dynamics remain far more comprehensive and, more importantly, accessible.
The next level of differentiation enabled by the broader realization of virtualization is the elasticity today’s cloud represents. Elasticity is the dynamic allocation of historically rigid computing resources, such as storage, processors, memory, and other features normally associated with physical changes to the system. Granted, there are similar situations in older technologies, but not nearly as dynamic and in some cases required software modifications to recognize the change. With technology from 20 years ago you could provide more or less system resources to a guest and do so fairly quickly with limited impact. But either the guest was using a specific application on a platform that supported such changes or required manual intervention to manage the resource modifications. By comparison to today’s cloud elasticity these and other challenges are generally moot. Moreover, the overall physical environment of past scenarios was limited. Of course, it may have been several large systems with dozens, may be even hundreds of processors in a datacenter, but this was extraordinarily expensive to build and even more to scale. Today’s cloud is enabled by the network allowing resources to be shared and accessed throughout multiple environments using generally inexpensive hardware, and can be added to quickly and cheaply. Therefore, while elasticity did exist several decades ago, it is now far more fluid and dynamic offering options that go well beyond what used to be possible.
I recall a time when I was working for a national retail company experimenting with ecommerce for internal product and warehouse management for large scale vendors and partners. I was asked to design and build a system to support the application, which ultimately resulted in the purchase of several very large IBM intel-based PC-like servers, something new to the environment. The demands on the system were woefully underestimated and in less than a few months the systems were overwhelmed, even after exploiting all the hardware expansion options, such as memory, multiple processors, new blades to speed up the bus, and a slew of other additions at a substantial cost. The demand on the systems normalized and actually began to decrease rapidly because of more strategic changes in the business model. The company had invested a great deal and started to question the ROI. Within a year the project was scrapped. The basics of the story is that the company wanted to try something new and progressive although unsure of how it would resonate and even less about its longevity. In reality, I could argue it would have lasted far less time if the company didn’t spend so much on getting it stood up, creating a “this will work or else” culture. Fast forward to today and that same scenario would be very different in the cloud. Resources could be allocated and expanded at will without being left with a pile of expensive idle hardware sitting on your books.
Elasticity is possible because of dramatic advancements in virtualization and enabled thanks to the ubiquitous access to inexpensive hardware, which can come in many different forms due to the abstraction from application-level activities. The concept of dynamically expanding or contracting an environment based on need, and doing so across multiple environments without concern for platform interdependencies, provides the foundation for the next attribute: utility. Based on elasticity, a pay-for-what-you-use, pay-by-the-byte, and the all-you-can-eat concepts become a reality in the cloud. The utility nature of the cloud has completely changed the perspective of IT for many organizations by converting what has always been capital expenditure to operational expenditure. In short, this greatly reduces fiscal liability and ensures you are spending on what is needed at that moment as opposed to having to spend today based on projected needs. Not only do utility and elasticity differentiate the cloud for consumers, but they are valuable to the provider in working with consumers and partners.
I’ve had this discussion many times and this is the point where “more of the same” chanters start to throw stones. The argument, of course, is that the utility attribute of the cloud has existed in IT for decades, and I agree – to a point. The difference is granularity and diversity of what is possible in constituting a utility delivery, cost, and pricing model. One example is time. Today you can increase or decrease storage, processor, memory, or throughout with a click of a mouse and have it applied instantly. Moreover, there are methods to create a policy so that when certain conditions exist the resources are modified according to predefined performance and demand metrics. Then all the features of the system, such as storage, processor, memory and bandwidth, but these are very simplistic and basic compared to some of the other tunable attributes. In short, there are a wide range of possibilities that providers can offer to consumers and partners in the valuation of cloud computing services that range from the network to the application and everything in between – each representing new options and combinations to best meet the demand.
Rooted in virtualization that anonymizes the hardware, scale, and distribution, we have a highly elastic environment that provides for new delivery and cost models that are very attractive to consumers, all combining to represent a broad, highly tunable, and sophisticated computing platform. The end result can be summarized as abstraction. In simple terms this is the separation of traditional computing features from the application and information. As a result, this raises a number of interesting characteristics about cloud computing that is unique.
First is the service oriented delivery of the cloud, meaning that resources can be used in part, in whole, or in combinations that were not possible or conceived of in early “cloud-like” environments from the past. This is analogous to having different aspects of an application and data management being performed using portions of cloud services in different combinations to facilitate an end result. For example, a customer using Salesforce.com can have Ribbit included for a fully integrated unified communications capability. From the consumer’s perspective the integration is seamless, but in reality the providers have harmonized cloud services that come together and can do so in different ways depending on the need without compromising the delivery of Salesforce.com or Ribbit. Some may say this is no different from past scenarios, such as shopping cart application services that provide integrated services from multiple providers. However, again, the level of integration, the diversity of what can be accomplished and the utility aspects are reflective of a substantially different capability.
Of course, the second interesting characteristic is security. Unfortunately, this is where the difference between what cloud computing is compared to old school environment does not work in the favor of the cloud. Abstraction between applications and information from the systems and network introduces greater separation between the valued assets of an organization and its owners. This isn’t simply having a database on a provider’s system in their facility, such as this very article that exists as files in some distant server I have no control over – it is much, much more.
For those who say that the cloud is more of the same, and refer to virtualization, time slicing, and ASP services of the past, have not fully recognized – in my humble opinion – that those examples are either basic service delivery models or, more specifically, isolated layers of abstraction. For example, in discussing virtualization of the past and comparing to what we have today - and all that is implied – there are a number of similarities. I’ve discussed these and the differences above. However, there is more to the story at a much higher level of perspective, and it has to do with abstraction.
The virtualization of the past did indeed offer abstraction. However, the point that is being missed in discussion of today’s cloud is the multiple layers of abstraction that is uniquely the cloud. This isn’t simply a pile of operating systems running on virtual hardware anymore. The cloud is rapidly moving beyond virtual hardware and is expanding the core concept to materialize as virtual processes, application stacking, and communications occurring that add multiple layers of abstraction and add more and more parties to the delivery of the final service. There are virtualized systems using other virtualized systems, which in turn are using others creating a complex web of computational interactions that are difficult to quantify, especially for security.
It is these layers of abstraction and how they are interacting that not only make the cloud not more of the same, but have challenged the very framework of security. The discussion so far has been general in nature to demonstrate that the cloud isn’t more of the same, and to think so diminishes what is really happening and what will come; in other words, ignorance, which I think will be proven to be very dangerous thinking in time. To this point, the cloud is evolutionary within the IT space; it is the next manifestation of IT, similar to its predecessor, but not the same. However, when viewed through the lens of security the culmination of virtualization and the elasticity it provides that drives a utility, service oriented model, facilitating the multi-dimensional layers of abstraction, the cloud appears revolutionary, and not in a good way.
If for no other reason, the fact that security (i.e., risk, compliance, governance, policy, standards, management, etc.) has proven to be a substantial challenge in the cloud is more than enough to demonstrate that the cloud is not more of the same. What used to be an environment you could point to and say “I’ve secured that system” is now comprised of potentially dozens of different services being used from various providers with different levels of interaction and responsibilities.
I begin to think about the increasing number of security issues of web-applications in traditional IT environments and the vast number of critical vulnerabilities that continually surface due to the complexity and dynamic nature of today’s Internet-facing applications. Few will argue that application security is on the front burner of most security executives because it is such a challenge and represents a tangible risk - and this is an environment where the system (e.g., web-app) is fully within the control of the organization! Consider the potential that exists when the same environment is partially or completely out of your domain of control. Granted, a simplistic example, but you can see the point - - extrapolate from there.
There is a lot of activity in the security industry in developing a meaningful and actionable security architecture for the cloud. However, some of these are applying 20th century security strategies to a 21st century environment. It’s almost as if the security industry is also falling victim to the “more of the same” view. However, I honestly do not believe that is the case and see current activities as embryonic, starting with what you know, and good, positive momentum that in time will create a compelling and “revolutionary” approach to security.
Interestingly, some in the IT and security industry do see the cloud as evolutionary. I was giving a speech on the cloud in New York recently to a large number of IT and security professionals and asked the question… is it revolutionary, evolutionary, or more of the same? No one raised their hand on revolutionary, most on evolutionary, and more than a few were adamant it was more of the same (the only vocal responses to the ad hoc survey). However, if you are a business person and see IT for what it truly is – a means to do business and not “the” business – then the cloud is revolutionary, in a good way. In a similar speech to an audience comprised entirely of business professionals, the same question was asked and every hand was raised for revolutionary and none for the others.
When one considers this result, you have to begin to question those who think the cloud is more of the same. IT has become more and more aligned to the business and the fact that so many are adopting and employing ITIL/ITSM is evidence to this reality. Therefore, if IT is working diligently to give the business what it needs to realize its mission and that same business sees the cloud as revolutionary in business terms, why are those in IT steadfast in defending technology and concepts from decades ago? It’s almost like IT is cutting their nose off to spite their face and missing an opportunity. Actually, it is more than missing an opportunity, it is getting set up for failure because the cloud is coming no matter what and by the time the naysayers accept the eventuality the cloud will be very different and far more comprehensive than it is today.
Why am I writing on this? Everyone is allowed their own perspective, no? Well, of course. Nevertheless, when I hear people argue the point that the cloud is simply more of the same – “just a marketing term” -and do so with such conviction, it leads me to believe that it is not being taken seriously. When you do not take something seriously, respect the nuances it represents, and further assume it is exactly the same as the environments you are comfortable with, it is inevitable that your underestimation will have repercussions.
May be this is the security side of me talking or echoes of when I was a boxer… you never underestimate the enemy – never. I’ve crawled into the ring with a fighter with only a fraction of my weight and skill, yet I was dismantled because I did not respect the challenger, assuming he was nothing more than the same, falling victim to my own ignorance… call it a lesson learned the hard way. In typical security fashion, a Sun Tzu quote says it all,
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”
Basically, if you assume it is more of the same you will apply the same theories and while you will experience some success, it will come at the cost of more than your fair share of failures and missed opportunity.
The cloud is not more of the same. It may appear similar, offering a warm blanket of misplaced familiarity you can wrap around your ego. But the reality is you must respect it for what it is and will become, otherwise you too will be caught off guard and be defeated by your own, self-inflicted ignorance.