Erick Schonfeld submits: Amazon (AMZN) loves to talk about its Web Services because it positions the company as a bold innovator bringing cloud computing to the unwashed masses and other companies still stuck in the land of legacy data centers. But it is coy when it comes to details about the actual business behind Amazon Web Services, which includes its S3 storage service, EC2 compute cloud, and SimpleDB online database. During its last (Q4) earnings call, Amazon offered up the tidbit that Amazon Web Services (AWS) now us... lire la suite
Amazon (AMZN) loves to talk about its Web Services because it positions the company as a bold innovator bringing cloud computing to the unwashed masses and other companies still stuck in the land of legacy data centers. But it is coy when it comes to details about the actual business behind Amazon Web Services, which includes its S3 storage service, EC2 compute cloud, and SimpleDB online database.
On a flight between Seattle and Tokyo. I've just put down The Big Switch, and decided it's time to write about cloud computing and how identity management is going to play a key role for the success of the new paradigm. As you go though this post, please remember that (as always) you are reading my personal opinions/views and not a press release from my employer :-) Cloud Computing: a nanointroduction The word "Cloud" is well on its way to be one of the most hyped & overloaded term in the recent history of IT: just enter "Cloud Computing" in your search engine of choice and be prepared to navigate a huge result set. A good way of ramping up on the topic would be to read the recent Forrester report "Is Cloud Computing Ready for the Enterprise?"; or, if you are less technical, you can start by reading the aforementioned The Big Switch (as long as you read those cum grano salis, without ever turning off your critical thinking module). Cloud Computing is mainly a new deployment model. Let's say you are the solution architect of an enterprise, and you are in the process of setting up a new capability for your company. As usual, the two big alternatives are build the solution yourself, buy it as a service if available or all the intermediate approaches which combine the two. If you decide to build even just a little piece of the solution, you are implicitly stepping up for running it too: making sure your datacenter is up to the task (and beef it up if it's not), installing, updating, handling downtimes and security patches, walking the tightrope between reacting to spikes in workload and keeping costs to a reasonable level, keeping an eye on health indicators, making sure that integration with other solutions runs smoothly... business as usual. There are many cases in which the above is just a symptom of the tight grip you want to keep on your system: the more aspects you want to control the higher the overhead associated to it, and there are often good reasons for having full control. OTOH there are a great many cases in which the above is *really* an artifact of how the IT works today (habitual readers, I II & III: think of the attributes store that appeared necessary in the pre-token era but was just an artifact of using pure credentials and not identities), and you'd gladly forsake control on some details if it would mean easing the administrative burden. If you belong to the second category, cloud computing is for you. Imagine that a vendor comes to you and offers to host components your solution on his datacenter. With "host" I don't mean just giving you a slot in their racks, nor just a virtual directory in their web servers. I mean hosting your tables in their store and performing queries for you, hosting service endpoints with ESB-like capabilities, running workflows & long running processes... all things you'd do on your own application servers on your datacenter, with some important differences: You'll find no shortage of hype about this, the idea IS exciting and important after all, but I'd urge you to resist the temptation of being carried away and burn all the old toys. Even Mr. "IT doesn't matter" Nicholas Carr envisions a future where traditional and and cloud approaches are used together: Let me reiterate my initial point: Cloud Computing is mainly a new deployment model. Another arrow in the quiver of companies and solution architect, that will work well for slaying certain kind of monsters. What about the relationship between Cloud Computing and S+S & SaaS? The answer depends by which team you play in. If you are an ISV, the Cloud is a great way of hosting & offering your services. It saves you many of the headaches you'd have to deal with yourself, the dynamic workload is great, and so on. I an sure you'll hear a lot about deep implications or architecture & business models. Enterprise Identities and Cloud Let's say the vendor convinces you to move some of your services "in the cloud"; you pick one of the services with the most erratic CPU utilization pattern and you deploy it in the cloud. Great! In the figure below you can see your new situation, with a "hole" where the service now in the cloud used to be. The service now in the cloud is part of a LoB application, which features a sophisticated authorization policy. This is one of the many benefits you reap from running a great directory (red pyramid). But hey, wait a second! What happens when one of your employees calls the service in the cloud? The service is no longer under the jurisdiction of your directory, hence the kerberos token that states your employee's affiliation with the Managers group is gibberish: how is the cloud infrastructure supposed to handle authorization the way you originally envisioned? Now that I think of it, we have issues also in the opposite direction. As part of the LoB application, the service in the cloud will likely invoke other services: After the initial shock, we soon realize there's no reason to panic. We know how to handle the situation, this is exactly like talking with a partner: we can set up a federation with the cloud provider. It is a bit unusual, after all it is our own very service code we are dealing with, but it can be done. In fact, this federation has another unusual aspect: while a classic partnership translates and mediates between two organizations, here one of the parties is pretty much an empty shell. The cloud provider has no users, hierarchies & roles of its own, it is simply an environment designed for running other's code. It has a "corporate" identity, sure, but it has no claims of its own that need to be translated into ours (and vice versa). Maybe we can solve the situation with something simpler than a full fledged federation in the classic sense of the word: in fact, I believe that a simple R-STS can save the day. Consider the picture below: On top the directory pyramid I added an STS, which can give to employees portable identities in form of interoperable tokens. On the cloud side I added an R-STS, which sits on the multitenant application that takes care of authenticating the calls of the companies that subscribed to the cloud hosting offering. The scroll on the top right corner represents the configuration for our enterprise: you may notice that it contains a small copy of our directory STS, it symbolizes the fact that our cloud infrastructure (read: our R-STS) will trust tokens from our directory (read: it will accept those tokens and will issue transformed tokens in return). How does that help? Simple. It is reasonable to assume that a service hosted in the cloud infrastructure will be configured to accept tokens issued by the cloud R-STS; and with the trust relationship just described, we just ensured that our employees can obtain such a token. Let me summarize here: the cloud provider can handle authentication of incoming requests to the service it hosts with an R-STS. You can easily manage access control by having that R-STS trust you, and by having a say in the claim transformation rules applied by the R-STS. If you recognized in this what I described in this other post, congratulations: you are on the right track. I'll leave the mirror case as exercise to the reader, just apply the same logic. If you are in the mood of some out-of-the-box thinking, you may even try to imagine how easy it would be to handle the case of the service hosted in the cloud calling home IF the services still hosted at home would have a network addressable presence in the same cloud... but I told you the solution already ;-) ISVs, Identities and Cloud Fine, enterprises can launch their services in orbit and yet make them available to their employees still on the ground. What about ISVs? I guess that some would say they have an even better deal with the cloud when it comes to access control & management. Before we've seen how the enterprise twisted the behavior of the cloud R-STS for achieving this unusual eigenauthorization, gaining extra advantages (especially if doing so it discovered the power of claims) but substantially being motivated by protecting its investment during the move to a hybrid model. For the ISV, instead, the R-STS is the ultimate decoupler & the perfect trust broker: it can take care of the onboarding, authentication and integration of the ISV customers while standardizing the credentials that the ISV service itself needs to understand. Let's consider a S+S ISV who offers a CRM solution (how original of me) from its own datacenter. Apart from the usual IT problems we already mentioned for the enterprise, the ISV needs to worry about authenticating "foreign" users. The easier is to integrate the service with customer's IT environments, the lower the entry bar and the higher the probability of doing business: that basically means that the more people you want to onboard, the more swivel chair integration you should expect to do. You have your authentication criteria and application roles (or claims if you're advanced), and you have to map those with whatever your customer has; somebody will have directories and hierarchies that will map well, smaller shops may simply collapse roles in explicit accounts (user A can do X, user B can do Y). Now consider for a moment the picture below: it represents the service we've seen before, this time from the perspective of external consumption. Also in this case, authenticating somebody is simply a matter of telling the R-STS that it's OK to emit a token for them; and for the mapping and authorization, again we can take advantage of the policy engine of the cloud provider. The ISV does not need to worry about handling credentials anymore; it becomes a matter of administering the authorization rules, which is more a business problem than a technical one (how the ISV explains to a potential customer what is the meaning of the various claims/roles, so that the prospect can take informed decisions about what maps in where? Here we do have a need for claim mapping across orgs). In fact, one could even imagine that if a prospect of the ISV is already registered for other reasons with the cloud provider (for example because it is already customer of another ISV that hosts its services on the same cloud provider), onboarding should be a breeze. In fact, the picture above suggests an interesting twist: if once a service is hosted in the cloud it is so easy to make it available to others, perhaps in some cases enterprises will end up recovering costs and fighting inefficiencies by acting as ISVs. Think of situations in which you have excess capacity, like if you have a wonderfully automated warehouse that ends up being empty most of the time because you got the sizing wrong. You could "rent" warehouse services (receiving, stocking, retrieving, packaging, shipping) just by taking the services that front the warehouse function already in the cloud and opening them to third parties just by changing some policies. I know I said that already, but it's *huge*.
Amazon Web Services prevoit d'ajouter un code de prise en charge Windows et SQL Server a son service de cloud computing, EC2...
March 10, 2008 -- (WEB HOST INDUSTRY REVIEW) -- Cloud computing does not meet the needs of large businesses, but remains to have definitive potential, says a report released by Forrester Research (forrester.com) on Monday. In the report, Staten writes: "Cloud computing looks very much like the instantiation of many vendors' visions of the data center of the future; it's an abstracted, fabric-based infrastructure that enables dynamic movement, growth, and protection of services that is billed like a utility. It also has all the earmarks of a disruptive innovation: It is enterprise technology packaged to best fit the needs of small businesses and start-ups--not the enterprise." The report highlights cloud computing's ability to accelerate the speed at which people can gain services, bypassing traditional IT departments altogether. And unlike other hosting services, services are based on consumption and the technology infrastructure is optimized for hosting several customers. Meanwhile, Microsoft and Google are also speculated to be developing pay-per-drink computing services, such as hosted server processing and storage. Since these providers are optimized for large-scale hosts, they could potentially serve corporate customers, said Forrester. Amazon Web Services suffered a major outage last month, affecting thousands of sites that rely on its S3 storage and EC2 cloud computing services. The outage led many customers to question the reliability of cloud computing and to have a backup plan in place in case another outage occurs.
That is also why cloud computing is so important to business and enterprise customers, even for those that don’t use cloud services. Switching from one web service to another is nowhere as complex as switching your operating system or even your desktop software. In any event, the vendor does most of the work. As one illustration, we frequently migrate Salesforce cusotmers to Zoho CRM, and the process is nearly fully automated, with human intervention mostly confined to perform quality assurance checks to ensure there are no glitches for the customer. As cloud services compete in a relatively low-friction market place and therefore prices fall along with unit costs, it is going to drive prices down even for conventional software.
CherryPal's cloud-based computer is unique because it offers the technology without subscription costs, and only draws two watts of power. The machine has no moving parts, and uses hardware encrpytion to provide a secure link to the cloud (which is run by Amazon). To offset the costs of the cloud server, short ads are inserted whenever you open a program, but appear at no other time, to remain relatively unobtrusive. Though the device only has a 400 MHz Freescale MPC5121e mobileGT processor and 256 MB RAM, its user experience factor doesn't drop off because most of the work is done in the cloud. In fact, you are hardly exposed to the Linux-based OS because nearly everything is run from a modified version of Firefox. CherryPal PC also has a 4 GB NAND Flash storage, 802.11g wi-fi, two USB 2.0 ports, 10/100 ethernet, VGA out, and headphone out. It has a footprint of roughly 6 inches by 4 inches and is about an inch tall. It also comes out of the box with programs like iTunes, Open Office, custom media player and IM client, with more programs to appear. Each computer's has a cloud storage limit of 50 GB, which is likely to be expanded. MOUNTAIN VIEW, Calif. (July 21, 2008) - CherryPal, Inc., maker of green, affordable, easy-to-use personal computers, today formally launched its CherryPal™ cloud computer, the most energy efficient and affordable desktop computer available. CherryPal is a completely new type of PC that has no moving parts, contains 80 percent fewer components, uses only two watts of power, and is highly secure. The CherryPal, which is currently available for pre-orders, retails for $249 and requires no monthly subscription fee and no other hidden costs. “Today's typical PC is based on a computing model created 25 years ago, before the Internet, web browsers and global warming,” said CherryPal CEO, Max Seybold. “We have developed a new computing model that makes CherryPal the easiest to use, greenest, most affordable computer available today.” The CherryPal desktop is dead simple to set up and boots in 20 seconds. Users simply enter a username and password to access the CherryPalCloud, which offers an incredibly simple, intuitive interface. CherryPal has no exposed operating system, so all application and functions are managed solely by a Firefox-based browser. CherryPal does all operation system and application upgrading and installation, meaning there is no maintenance required. Because there are no moving parts, there is little possibility of hardware failure. CherryPal also offers a free 24/7 helpline. CherryPal has removed the hassle from personal computing by moving most of the software and data that traditionally sits on the desktop to the Internet. Instead of accessing programs and data from your desktop computer, the majority of information is processed and stored on the web in a highly secure environment called the CherryPalCloud™, which is automatically accessed at boot-up. CherryPal is rolling out a robust “Brand Angels” program that uses advocates and users as its sales force. Brand Angels will communicate their honest experiences with the CherryPal product in exchange for a free CherryPal desktop. Brand Angels receive a small commission for each system sold; buyers also receive a small discount when they purchase their CherryPal from a Brand Angel.
Google’s (GOOG) Gmail outage on Monday was the latest stumble for nascent cloud computing services, which are becoming the lifeblood for small businesses and startups. The Gmail outage-along with Amazon’s (AMZN) stumbles of late-raises a few key questions: Where’s the offline synchronization capability? Can we depend solely on the Web? Is Microsoft’s (MSFT) software and services mantra the best path forward?
The biggest threat to the promise of cloud computing to appear this summer wasn’t the failed trademark attempt by Dell, but rather brilliant research by a leading white hat security researcher. Dan Kaminsky discovered how a well-known and widespread vulnerability in DNS servers could be exploited in seconds and turn any one of millions of servers directing Internet traffic into a cybercrime gold mine in mere seconds. Note: For those unfamiliar with cloud computing, or the delivery of software and other IT-related functionality as a service, you can read more at Archimedius. Some leading technology players involved or associated with cloud computing include: Google (GOOG), Microsoft (MSFT), Dell (DELL), VMware (VMW) and Amazon.com (AMZN).Complete Story »