Security

A Resurgent SPARC platform for Enterprise Cloud Workloads (Part 2) - SPARC T5

Some time ago, I blogged about the resurgence of the SPARC platform. The then newly designed SPARC T4 was showing tremendous promise in its own write to be able to take up its former mantle of being an innovation leader running extreme workloads with the Solaris 11 operating system.

Indeed, it was used as the driving engine of the SPARC Supercluster for dealing with not just massive acceleration of Oracle database workloads using the Exadata Storage Cell technology, but the ability to combine firmware embedded near-zero overhead virtualization concepts for electrically separate logical domains, carving up the physical hardware, and Solaris zones which allow near-native "virtual machines" sharing an installed Solaris operating system.

Up to 128 virtual machines (zones) supported on a system - a vast improvement over the 20-30 one gets under VMware-like hypervisors typically!

This welcome addition to the wider Oracle engineered systems family allowed the missing parts of the datacenter to be consolidated - these being typically glossed over or totally skipped when virtualization with VMware-like hypervisors was discussed. Customers were aware that their mission critical workloads were not always able to run with an x86 platform which was then further reduced in performance using a hypervisor to support large data set manipulation.

Well the rumor mills have started as the run up to Oracle Openworld 2012 at the end of September. One of the interesting areas is the "possible" announcement of the SPARC T5 processor. This is interesting in its own right as we have steadily been seeing the SPARC T4 and now the T5 having ever greater embedded capability in silicon to drive database consolidation and indeed the entire WebLogic middleware stack together with high-end vertical applications such as SAP, EBusiness Suite, Siebel CRM and so on.

Speculating on what "rumors" and the Oracle SPARC public roadmap, I'd like to indicate where I see this new chip making inroads in those extreme cloud workload environments whilst maintaining the paradigm of continuous consolidation. This paradigm that I outlined in a blog in 2010 is still very relevant - the SPARC T5 providing alternative avenues than simply following the crowd on x86.

Questioning "Datacenter Wisdom"

The new SPARC T5 will have, according to the roadmap the following features and technologies included:

  • Increasing System-on-a-Chip (SOC) orientation providing ever more enhanced silicon accelerators for offloading tasks that software typically struggles with at cloud scale. This combines cores, memory controllers, I/O ports, accelerators and network interface controllers providing a very utilitarian design.
  • 16 cores from the T4's 8-core. This takes them right up to the top end in core terms.
  • 8 threads per core - giving 128 threads of execution per processor providing exceptional performance for threaded applications such as with Java and indeed the entire SOA environment
  • Core speeds of 3.6GHz providing exceptional single threaded performance as well as the intelligence to detect thread workloads dynamically (think chip level thread workload elasticity)
  • Move to 28nm from 40nm - continuous consolidation paradigm being applied at silicon level
  • Crossbar bandwidth of 1TB/s (twice that of the T4) providing exceptional straight line scaling for applications as well as supporting the glueless NUMA design of the T5
  • Move to PCIe Generation 3 and 1TB/s memory bandwidth using 1GHz DDR3 memory chips will start to provide the means of creating very large memory server configuration (think double-digit TB of RAM for all in-memory workload processing)
  • QDR (40Gbps) Infiniband private networking
  • 10GbE Public networking
  • Database workload stacking becomes even more capable and effective than simple hypervisor based virtualization for datacenter estate consolidation at multiple levels (storage, server, network and licensed core levels)

This in itself at the processor level is really impressive, but the features that are on the roadmap aligned to the T5 possibly are the real crown jewels:

  •  on-die crypto accelerators for encryption (RSA, DH, DSA, ECC, AES, DES,3DES, Camellia, Kasum) providing excellent performance through offloading. This is particularly relevant in multi-tenant Cloud based environments
  • on-die message digest and hashing accelerators (CRC32c, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512) providing excellent security offloading. Again particularly relevant in multi-tenant environments
  • on-die accelerator for random number generation
  • PCIe Generation 3 opens the door to even faster Infiniband networking (56Gbps instead of the current 40Gbps - with active-active links being possible to drive at wire speed)
  • Hardware based compression which will seriously reduce the storage footprint of databases. This will provide further consolidation and optimization of database information architectures.
  • Columnar database acceleration and Oracle number acceleration will provide extremely fast access to structured information. Further, when combined with in-memory structures, the database will literally be roaring !

Indeed when we think that the Exadata Storage cells will also be enhanced to support new chip generations, flash density as well as other optimizations, the next SPARC Supercluster (which has the embedded Exadata storage cells) will literally be one of the best performing database platforms on the planet!

To ignore the new SPARC T5 (whenever it arrives) is to really miss a trick. The embedded technology provides true sticky competitive advantage to anyone that running a database workload or indeed multi-threaded applications. As a Java platform, middleware and SOA platform as well as vertical application platform, the enterprise can seriously benefit from this new innovation.

Why is this important for the CIO & CFO?

CIOs and CFOs are constantly being bombarded with messages from IT that x86 is the only way to go, that Linux is the only way to go, that VMware is the only way to go. As most CFOs will have noted by now:

  • Financially speaking - the x86 servers may have been cheaper per unit, but the number of units is so large to get the job done that any financial advantage that might have been there has evaporated!
  • Overall end-2-end costs for those services that the CIO/CFO signed off on are never really well calculated for the current environment.
  • Focused investment on those activities that support revenue streams and those technologies that will continue to do that for at least the next decade with capacity upgrades of course
  • There must be other ways of doing things that make life easier and more predictable

Well Engineered Systems with the new SPARC T5 represent a way for the CIO/CFO to be able to power those projects that need investment which in turn drive revenue and value. The ability to literally roll the SPARC SuperCluster or any other Engineered System is going to be instrumental in:

  • Shortening project cycles at the infrastructure level
    • don't lose 6 months on a critical ERP/CRM/Custom application project in provisioning hardware, getting unexpected billing for general infrastructure layers such as networking that have nothing to do with this project, IT trying to tune and assemble, getting stuck in multi-vendor contract and support negotiations etc.
    • That time can be literally worth millions - why lose that value?
  • Concentrate valuable and sparse investment strategies literally to the last square meter in the datacenter!
    • If that next project is a risk management platform, then IT should be able to give exactly to the last datacenter floor tile the resources that are needed for that one project alone and the cost
    • Project based or zero-budgetting will allow projects to come online faster, predictably, reuse of existing platforms dealing with the load as well as supporting continuous workload consolidation paradigms
    • Finance enterprise architecture projects that put in the enabling conditions to support faster turnaround for critical revenue focused/margin increasing project activity
Engineered systems are already using the technologies that the rest of the industry is trying to re-package to meet the challenges customers are facing now and in the coming years.The lead is not just in technology but also the approach that customers are demanding - specific investments balanced with specific revenue generating high-yield business returns.

As a CIO it is important to recognize the value that Engineered Systems and the SPARC platform, as part of an overall datacenter landscape, bring in addressing key business requirements and ensure an overall simplification of the Datacenter challenge and large CAPEX requirements in general.

As Oracle and others proceed in acquiring or organically developing new capabilities in customer facing technologies, managing exabyte data sets it becomes strategically important to understand how that can be dealt with.

Hardware alone is not the only answer. Operating systems need to be able to deal with big thinking and big strategy as do applications and the hardware. By creating balanced designs that can then scale-out a consistent effective execution strategy can be managed at the CIO/CTO/CFO levels to ensure that business is not hindered but encouraged to the maximum through removing barriers that IT may well have propagated with the state of the art many years ago.

Engineered Systems enable and weaponize the datacenter to directly handle the real-time enterprise. High-end operating systems such as Solaris and the SPARC processor roadmap are dealing with the notions of having terabyte datasets, millions of execution threads and thousands of logical domains with hundreds of zones (virtual machines) each per purchased core.

Simply carving up a physical server's resources to make up for the deficiencies of operating system/application in dealing with workloads can't be an answer by itself. This is what is also fueling the Platform-as-a-Service strategies partly. How to get systems working cooperatively together to deal with more of the same workload (e.g. database access/web server content for millions of users) or indeed different workloads spread across systems transparently is the question!

High performance computing fields have been doing just this with stunning results albeit at extreme cost conditions and limited workloads. Engineered systems are facilitating this thinking at scale with relatively modest investment for the workloads being supported.

It is this big thinking from organizations such as Oracle and others, who are used to dealing with petabytes of data, and millions of concurrent users that can fulfill  requirements expressed by the CIO/CTO/CFO teams. If millions of users needing web/content/database/analytics/billing can be serviced per square meter of datacenter space - why not do it?

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by Oracle and does not necessarily reflect the views and opinions of Oracle.

Cloud Security Maneuvers - Governments taking Proactive Role

In a previous blog entitled VMworld 2011 - Practice Makes Perfect (Security), I discussed the notion of preparing actively for attack in cyberspace through readiness measures and mock maneuvers.

This is happening at the level of nations. ENISA in Cyber Atlantic 2011, shows how large groups/blocs of nations are working on not only increasing their capabilities, but practicing in concert to see how global threats can be prevented or isolated in cyberspace.

This is at least as intensive as a NATO exercise. Languages, cultures, varying capabilities, synchronization of Command & Control capabilities as well as reporting and management at national levels.

APTs (Advanced Persistent Threats) will be the target in this exercise. This is a current and relevant threat with credible measures needed urgently. APTs can be used by organized crime or state sponsored attacks to circumvent even the most secure installations - nuclear/military typically. It is critical that measures and controls are in place at a national level.

Hopefully they will also cover the very sensitive area of reporting to the press, organizations that are being targeted or potentially targeted as well as practical measures that everyday folk like you and I can implement quickly and easily. Remember security starts with people!

 

What does this all Mean for Virtualization and the Cloud?

Clouds span organizations, nations, borders and cultures. We need to think in equal if not greater terms when thinking about security. Security in one area does not guarantee the security of the entire cloud or the communities that they serve.

There is of course a fine line in skirting personal privacy rules, in place for very good reasons of personal liberty and democratic thinking, and protection of assets in the Cloud from malicious attacks or just plain stealing of intellectual property.

Governments should also not be excluded. It is equally important that an individual has privacy rights maintained without the threat of big brother from other states or indeed your own government. This is an area that every individual needs to be vigilant against. Controls within Government also need to be available to the individual should there be patent infringement without a court order authorizing surveillance. Even that needs to be double-checked!

This does of course also strengthen the case for private clouds, or at least closed community clouds. This provides another buffer perimeter to attack, and ensures the ability to fence off networks from outside unwanted intruders.

This involves security by design. These measures to be able to isolate Cloud elements as needed, and proactive event triggered responses to security will entail ever smarter tools! The ability to process massive data and web logs in near real-time will power the heart of Automated Cloud Security Response & Tracking.

 

Why is this important for the CIO?

Competitive advantage may not be the only reason for charting a hybrid course for your clouds. Fit for function micro-cloud capabilities (e.g. focused on only providing Database-aaS, or Middleware-aaS) will ensure best in class features, and will ensure that there is an island of Cloud capability with the required security measures within the overall Corporate Cloud Strategy.

General purpose cloud constructs to run standard workloads on x86 platforms will also have their own level of security. This may well be a different defense strategy involved than protecting key structured and unstructured data repositories.

The fact that nation states are working collaboratively for Cybersecurity, provides an ideal opportunity for CIOs to link into that capability. National Cyberdefense will have access to the latest greatest wildest threats through linking into vendor response systems (RSA, Symantec, Trend, Qualsys etc) who are able to gather data from the users of their respective solutions.

Further, the ability to liaise directly with the heads of global organizations providing briefing information, as well as joint public response measures with the media will also enable a "soft landing" effect on global equity markets based on their fear of the effect of a wide-spread cyber attack. I do feel that Government should also provide a level of funding for corporate cyber security to ease the burden. Time will tell on this one!

One size clouds can be dangerous in a world where one needs to design for systems failing or being exposed to insidious attack. Although silos in IT are not the preferred approach, the idea of clear fenced off Cloud areas focused on the type of data they are operating on and their business impact analysis ratings should be seriously on the CIO agenda.

Cost savings may well need to be re-channelled to address your concerns with security. Work with the CSO/CISO to get the funding for securing the business assets. Work with government to have access to greater resources and possibly funding.

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

VMworld 2011 - Practice Makes Perfect (Security)

During the VMworld2011 conference, the theme of security came up very strongly. Indeed, there were many parallels to the RSA Conference 2011 in Feb/2011 that echoed concerns about "putting all your eggs in one basket".

Many solutions were presented, new innovations from VMware in the form of the vShield family and vertical integration into the RSA enVision tools. However, tools are good, but there are few substitutes for common sense and training.

Within all the sessions, I did not really see anything indicating how indepth Cloud security was to be achieved. Security certifications are mainly focused at awareness of issues pertaining to this theme and some level of descriptive and prescriptive actioning that can be performed within a framework.

Taking an metaphor linked to security, namely defending a country, there are parallels that can be drawn. Typically an army of some sort (SecOps - Security Operations) incorporates the capabilities of the security force, a command and control center for operations (SOC - Security Operations Center).

The army receives training both general and specific for particular engagement types (Security awareness training, Security tool training, System administration tasks such as patching, general awareness of threat levels around the world in cybersecurity terms). The army stays fit and in shape to respond should they be called into action. The army is distributed to ensure response in the correct measure and correct location (layered security distributed throughout a Cloud environment).

Lastly, to keep things short, there are mock trials and joint manoeuvres taking place to keep the training sharp and realistic, to ensure a coordinated knowledgeable response to said threat. This can be done with partners that share a similar set of goals, such as NATO. This is the bit that seems to be missing.

 

What does this all Mean for Virtualization and the Cloud?

In most client engagements I see, there is a lot of talk about security, security tools and so forth, but very little actual practice or manoeuvres that take place. It is necessary that teams responsible for safeguarding an environment have the means and regular practice to engage countermeasures in documented plans at speed into action.
If those plans are automated, then they can be triggered through corresponding events automatically but the knowledge to trigger by hand should also be present and tested regularly.

In speaking with some clients on the floor at VMworld, I raised the idea and it seemed to generate a favourable response. Clients and would-be users of cloud technologies are clamouring for safety, and seek to assuage their fears through buying the next great security software that claims nothing needs to be done, apart from issuing a purchase order!

Let's face it, something does need to be done. Tools do need to be acquired - but as part of an Enterprise Security Architecture (ESA) focused on ensuring all IT supporting the business is safe by design, and kept safe through regular threat update measures.

Regular drills are carried out to ensure that the security controls are in place, and mitigation controls can be called for in extreme situations. In the most extreme cases it is necessary to completely cut off outside connectivity while the threat is forensically investigated and stopped!

To be fair, the number of organisations that actually perform PEN (penetration) testing has really increased. However, that is a means to validate the efficacy of the control measures already in operation or determine what is missing.

I would advocate processes and organisational structures implemented within a Cloud enabled organisation enabling testing and simulation of attacks (mock war games) that allow each and every SecAdmin to be able to block/thwart attacks. Further, tracking attacks to source and procedures for rapidly alerting cyber-authorities & ISPs ensuring damage is minimized and threat reduction measures engaged on a broader scale.

 

Why is this important for the CIO/CSO?

The CIO/CSO have responsibilities to ensure that controls are in place and that those controls can be verified and are ready for inspection from regulatory authorities (including the internal audit & security groups).
In terms of budgeting and ensuring the security of your Private Cloud is as users expect, a cyber-war footing needs to be maintained. This internal Cyber-army should be equipped and trained to ensure security of all assets including the brand value of the company that may be at risk from exposure or data leakage.
Globalization lends an extra lever to ensure this type of rigorous security is in place. The measures should be built-in to the Cloud infrastructure, as well as work in layers around the Private Cloud. SecAdmins should be working with SysAdmins, but there does need to be a clear separation of duties and associated duties.
The Cxx agenda needs to include Cyber Security at Cloud scales into their plans to engender an IT ecosystem where business can thrive. The brand value such initiatives provide enable a sustained competitive advantage to accrue. An Enterprise Security Architecture should be in place with security groups actively taking a role to supporting agility and speed to market - but with safety and with confidence!

Disclaimer

The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.