Home > Blogs > Rethink IT > Tag Archives: enterprise cloud

Tag Archives: enterprise cloud

The future of cloud, part 2: Harris trusted enterprise cloud

Today at VMworld, Harris Corporation announced their Trusted Enterprise Cloud as a VMware vCloud® Powered service offering for federal and enterprise customers based on best of breed technologies, including VMware vCloud® Director. Perhaps the most interesting part of this is the strong differentiation that Harris has built into its cloud infrastructure that makes it a particularly good fit for this customer base. 

There are echoes here of NYSE Euronext’s capital markets approach – both are far from “generic” or “commodity” cloud services. They are clouds specifically designed and operated to solve mission-critical customer needs. Harris is way out in front of some recent announcements that are nothing more than “same old cloud, new building”, marketed as “Now for government use.” You’ve heard of “CloudWashing” – maybe the term for this is “GovCloudWashing?”

So what’s the secret sauce? Harris set out to comprehensively answer the question “What makes a cloud trusted?” There are three components to this – the physical and logical integrity of the cloud itself, the methods and procedures to operate it, and the people who run the cloud. There’s a lot of meat to this, and Chuck Hollis’ blog goes into more detail – I want to focus on Harris’ innovation in the cloud infrastructure layer.

All of the Trusted Cloud hardware components are positively verified to be as the manufacturer intended, with tracking from the source. There’s no room for (say) buying the cheapest “white box” server board of unknown origin in a trusted cloud, because that can compromise the integrity of the overall system. If you think this is far-fetched, consider that everything from NAS arrays to iPods have arrived in the hands of customers pre-loaded with malicious code in the past few years. Then there’s the growing market in counterfeit networking, storage and server spares (by May 2010, US authorities had made more than 700 seizures of counterfeit Cisco gear — more than 94,000 network devices in total). 

Secondly, Harris has developed an innovative white-listing approach to verify the integrity of code and configurations that run on the cloud. Traditional anti-virus systems use black-listing – known malicious code is identified through signatures and blocked. The challenge has been the deliberately massive proliferation of malicious code variants, and techniques like code mutation designed to defeat signatures. White listing is the reverse – only known good code and configurations (those with a signature on the “white list”) are allowed. By definition, malicious code, regardless of how it mutates or disguises itself, cannot run because it doesn’t have a valid signature.

The challenge with white-listing is ensuring you have 100% of the required signatures to allow the system to run, given the sheer number of variations of bona fide code and configurations. Through its acquisition of SignaCert in 2010, Harris has assembled a database of code and configuration signatures for over 3 billion software objects from more than 2,000 vendors. Harris has four patents on this technology and has embedded it in their Trusted Enterprise Cloud service.

This is another strike against the “cloud monoculture” viewpoint: to be relevant to a particular market segment, a cloud must deliver more than on-demand VMs; it must also solve key infrastructure challenges that distract organizations from their marketplace or mission. For many, including Federal government agencies, assuring a secure cloud platform is a great example of something that Trusted Enterprise Cloud solves effectively, and is what distinguishes it from “same basic cloud, shiny new label” offerings.

 

Getting rid of noisy neighbors: Enterprise class cloud performance and predictability

If you’ve ever lived in a multitenant building like a condo or apartment complex (or flats, as they’re called where I grew up in England), then you know all about the problem of noisy neighbors. One reason many enterprises are leery of public clouds is the same issue: in some multitenant infrastructures, the bad behavior of other tenants can affect the performance of your systems. In fact, it’s more insidious than that: when you’re buying a virtual server instance in an infrastructure cloud, you may not actually get what you pay for due to other tenants stealing physical server resources.

This typically happens because the hypervisor used to virtualize the service makes each VM think it has exclusive access to the physical server hardware, yet places few limitations on how those resources can be consumed. So a VM generating a lot of network traffic gets as much as it can use – at the expense of other VMs from other tenants of the service. The same goes for other types of I/O, especially storage. If you are unlucky enough to have your VM land on the same physical server as one of these noisy neighbor VMs from another tenant, then you won’t get the virtual machine instance you paid for.

If this weren’t bad enough, another consequence is complete lack of predictability – you have no idea what the performance of a given VM will be, since that depends on the other tenants of the service. Some of my cloudy colleagues spent time with IT teams who were running tests to guess the physical server size of their cloud service provider, so they could buy virtual server instances of the same size – guaranteeing that they wouldn’t have any noisy neighbors. It’s a bit like renting an entire building in the apartment complex to make sure you can get a good night’s sleep.

Ensuring that the resource consumption of one VM doesn’t affect others that happen to be located on the same physical server is a key function of vSphere. Any VMware virtualized service is capable of delivering this capability, and in vCloud Datacenter we took it a step further by defining two virtual data center (VDC) classes that offer guaranteed server resources for your VMs. The Committed VDC allows you to subscribe to a set of compute, memory and storage resources that are guaranteed to be available for your virtual machines, even though the underlying hardware is shared with other tenants.

The service also offers the Dedicated VDC, which provides physically separate hardware – ideal for meeting security or regulatory requirements where physically sharing isn’t an option. This is also sometimes known as virtual private cloud. The difference is the ease of mobility between VDCs within the service – you can quickly move VMs between VDCs as requirements change. One less thing to lose sleep over, and you don’t need to buy out the building to do it.