Cloud Transformatics - Rethink Your Storage Strategy (SAN)

One of the great things about the Cloud is the ability to stimulate new/different ways of thinking about your datacenter and IT operations in general. This is particularly valid in the areas of service delivery and quality management for an ever more demanding consumer population!

This is what I call Cloud Transformatics - the vectors and drivers of Cloud induced change in traditional IT operations and service delivery. I will be writing a mini-series of blogs on this theme, starting with SAN storage.

One of the tenants that the Cloud has really hit on the head, is the notion of massive old-fashioned monolithic arrays. The simple idea that using smaller lower-cost building blocks can actually reduce overall cost while giving more reliability, performance and ultimately service quality swept through the storage industry through the last decade.

Most storage manufacturers moved to disguising their systems as modular and scalable storage systems and only under innovation pressure from competitors started putting in features that cut margins and overall sales volume - think deduplication, virtual LUNs, compression, unified storage, storage tiering, thin storage etc.

Indeed even the very storage protocols became a religious debate. SAN FC vs iSCSI, SAN vs NAS, CIFS vs NFS, converged cabling etc. Many examples of this spring to mind, the NetApps and 3PARs of this world. Many of these were simply acquired by those companies that were their competitors. 3PAR went to HP, Equallogic to Dell, Isilon/Data Domain to EMC and Pillar Axiom to Oracle.

Curiously, in the IT market, good-innovative products don't always survive. Isilon was struggling in the market against massive competition - and was acquired and survived and thrived. That is great news - without the acquisition the industry may have lost the important innovations they bring to market. The same goes for 3PAR and Data Domain. 

I have been watching Pillar Axiom for some time. It struck me when verifying its architecture, market penetration, sentiment analysis and "cool" factor that this was a very promising technical architecture directly tackling issues typical in customer datacenters and storage services delivery in particular!

Firstly, there is the idea of SLAMMERS - the protocol and CPU heart of the Axiom Storage system. These are modular, built on standard industry CPUs (AMD) and are easily ramped up for roaring performance. A simple CPU upgrade from dual to quad core delivered vastly more vroom and correspondingly better service management. Imagine what an AMD Bulldozer (16 cores) or a corresponding Intel chip would deliver!

Secondly, there is the idea of BRICKS - which are dual RAID controller disk enclosures providing up to 24TB of raw storage using 12 disks, with a separate hot spare - all in a 2U package. This is what I call modular. These enclosures have their own cache and offload disk controller operations away from the slammers. Local hot spares all ensure rapid rebuild operations localised in the brick. Oracle claim 128 RAID controllers operating in parallel in 64 separate bricks per axiom storage system.

This is a great level of parallelism and modularity. Again, industry standard components are used, and scalability through component upgrades (CPU, RAM, backplane, interconnects, disks) can yield surprisingly large gains in performance and capacity!

Last, but not least, there is the PILOT - the hardware appliance providing out-of-band management features. This provides in a simple intuitive interface the management cockpit of the axiom storage system. It has features you would expect such as managing disk resources and pools. It also provides features that are definitely in the enterprise class league:

  1. Application aware storage profiles
  2. Policy based resource control
  3. Spindle striping levels
  4. IO Priority Queues
  5. Disk stroking (using inner or outer spindles for performance)
  6. Network bandwidth control
  7. Multi-tenancy with Quality of Service profiles
  8. Thin storage, storage tiering, distributed RAID for linear scaling

Pillar was typically put in the mid-range league, probably due to not supporting mainframes. However, the feature set is clearly enterprise worthy. Recently Oracle has started to add support for Hybrid Columnar Compression which further adds value to this device to provide SAN enabled storage support for Oracle 11g environments over and above what is available in any other high-end storage array currently.

Looking under the covers, and extrapolating somewhat, we have a SAN storage array with enterprise features. It has a modular slammer structure that corresponds to the EMC VMAX with its engines model. The Axiom also offers 8 engines, but provides, through its bricks, a linear scalability. If Oracle inserts Infiniband interconnects (40Gbps links) inside the axiom, then this will be a screamer of a system!

I have often seen clients who exhaust the high-end arrays in I/O well before the claimed 2000+ disks are reached. So top end capacity is nice on paper, but in reality it is rarely reached in intense environments.

The Axiom with its odd brick and slammer architecture addresses one critical concern that I have noticed with the traditional gamut of high-end arrays - namely the posturing that this is the last word in storage and why one would possibly need anything else! Well, Cloud Transformatics clearly shows that true modular systems are winning out in the real world and provide dramatically better performance and value.

If one needs more performance than available in a single Axiom system, then put a second Axiom system in place! That is how Cloud storage works - ramp up IO and Capacity through adding another module. That we can do this in a SAN is definitely worth taking a look at!  

The Race to Business Value

The Axiom already had many of the features associated with high-end SAN storage, but available in a pay-as-you grow model through adding additional modular slammers and bricks! This is remarkable value! Further, the Axiom also provides, through its architecture, NAS services. 

With the current shortfall of global disk production due to the tragic flooding in Thailand, every storage manufacturer is projecting steep price increases or delayed delivery. This is the perfect time to re-evaluate the SAN storage strategy. Oracle is providing substantial intellectual property integration into the platform to further deliver real Cloud derived value (CVD).

This platform in its architecture shares similarities with scale-out NAS systems such as Isilon, providing infrastructure for big data. It does not take a big leap in imagination to see such functionality coming to this important datacenter building block.

Why is this important for the CIO?

One would not typically think of Oracle as an enterprise SAN storage provider - but with the Pillar Axiom acquisition, they are squarely set to disrupt this space. Customers are using these systems to great effect. Axiom represents an inflexion point in how one things of SAN storage. That it can be cost effectively implemented, high end features provided and direct links to enterprise software stacks of database/ERP systems (SAP/Oracle) make this a potent platform at dramatically lower prices!

CIOs setting their IT agendas in 2012 should take into account that there is a new disruptive player in the datacenter offering storage services. Oracle can not really be disregarded in this respect. Time will tell how clients react to the exciting potential of the Pillar Axiom platform now that it has some enterprise backing through Oracle. 

CIOs looking to secure deep cost savings and efficiency should note the potential of this SAN storage platform. Clearly, if there is a use case in their organisations for enterprise software stacks (databases, messaging systems, ERP, CRM etc) then Oracle is a major player. Oracle is already probably used in most enterprise shops, and further deep practical value (not just paper savings) can be accrued from using the Axiom SAN storage platform.      



The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by Oracle and does not necessarily reflect the views and opinions of Oracle.

The Practical Cloud - Road to Cloud Value Derivation (CVD)

After a change of residence and a change of job - it is high time to write another blog!

In talks with many customers and indeed feedback on this blog site, I receive a lot of indication that the "current Cloud" the pre-2011 industry was marketing was simply tackling the infrastructure side of things. Much of the focus was on consolidating the x86 server estate and delivering features such as migration of live virtual machines across physical servers.

While this is fine as the initial steps to deriving some form of value - it is typically too little. Many business leaders and IT managers indicate that "we have bought into the Cloud, we have virtualized and we can even offer a level of VM automation in terms of provisioning" - "so where is this taking us and where can I highlight the ongoing value to the business?".

This is a very valid line of questioning. The client has millions of $$bucks$$ of equipment sitting on the floor, they have attended training and have done everything they were told to do. The result - they can create a virtual machine with software in minutes as opposed to hours or days. Cool!

That is not a lot to show the business for all that investment and evangelism. This is typically (and incorrectly) lauded as a solution and a great win for all!

IaaS alone, in my opinion, was always too little value.  The approach of simply putting servers, storage, network with a thin veneer of hypervisor magic has limited value in itself. This was incidentally the main haunt till 2011 for mainstream hypervisor purveyors.

This type of datacenter transformation using pre-assembled hardware for the sole purpose of consolidating x86 is too simple and let's face it - too dumb. Clients are cleverer than that. Clients have persisted in following the virtualization wave, and that is good. They have somewhat resisted the Cloud marketing till now as it was simply focused on replacement of their existing hardware and hypervisor stack.

Towards the tail end of 2011 we started seeing a stronger focus on provisioning enterprise software and environments - DB as a Service (DBaaS) which was nothing more than installing a database instance on a virtual machine through a browser provisioning page. Well that is better - but still does not smack of value! Indeed, if you want many big instances of databases with say 64 virtual CPUs per VM you were out of luck! AND yes there are customers that do this!

In 2011, we started to see the emergence of the appliance. This was an entire hardware and software stack that was factory installed. In some cases, such as the EMC GreenPlum appliance, this was built using the components with functional tuning to undertake the task. Others such as Oracle with Exadata Database Machine (which has been around since 2008 incidentally - but first used Sun intellectual property acquired in 2010) not only took the idea of virtualization but actually embedded it into all the components in the stack.

Through innovation, integration, best-of-breed technology and the simple idea that a system should do what it is designed for to the best of its ability, Exadata represents, in my opinion, a new approach to transformation that makes real business impact.

I am sure that during 2012 we will see a move away from the generalized Cloud stacks, such as VCE VBlock, Dell prepackaged servers with VMware installed and something similar from HP Virtualsystem for VMware. These systems are all focused at helping the hypervisor - in this case VMware vSphere, perform its job well. However, the hypervisor only lets you manage virtual machines! It does not do anything else!

That is also the reason that I see the move away from expensive hypervisor software solutions towards open source solutions or systems having the hypervisor embedded as a functional technology to support an enterprise software stack - with no $$ for the hypervisor per se.  

The Race to Business Value

One of the issues that has been stagnating business value derivation through Cloud technologies has been the lack of business as a driving stakeholder. Business should be  driving the IT roadmap for an organisation. Business defines what it wants from developers in the form of functionality. Why not the same for IT infrastructure?

You see the value of Business is that it thinks differently. Business tends to think at levels of enterprise architecture holistically as a driver and motor for business value generation! They think frameworks and they think (with developers and architects) in terms of enabling software platforms upon which to further their unique selling points.

The real Cloud value to be derived in that case is based on the software Cloud platforms leveraged to facilitate global service/application delivery with quality of service baked in. These platforms in turn are used to create further value!  

The real business case for the Cloud comes in the form of Platform-as-a-Service (PaaS). I think that Exadata hits this nail on the head. I don't just want to be able to setup a virtual machine running the database inside, I want the functionality of the database itself! Exadata delivers just that through a clever blend of components!

Why is this important for the CIO?

CIOs have set the agenda for Cloud in 2010-2011. They have seen that it has an effect on the delivery of IT services - but not necessarily a direct impact in the culture of the business or indeed the value the business derives. The early gains have been achieved, and it is time to move on to business focused IT.

CIOs look beyond the mainstream hype. They verify through intensive research and peer-level networking the effect of IT strategies on business value. The CIO pioneers and sets the agenda for deep intelligent consolidation. Not just doing more with less - BUT gaining greater business insight and leverage with fewer more effective resources!

Exadata, and engineered systems of that ilk, with embedded technology are paving the way for scale-up/out with extremely high performance and gathering in the benefits/innovations of the IT industry over the last years e.g. unified networking with Infiniband, high performance SSD storage, deduplication, compression, tiered value-oriented storage, big data capable file systems and indeed open source.  

That is a very potent mix, and Oracle customers are actively leveraging this. They have been using Linux and Oracle Solaris 11 to support those enterprise workloads needing that level of reliability and speed. They have been consolidating hundreds of database and middleware servers - yes - hardware, mixed OSs, non-x86 systems, licenses, management tools, script frameworks and so forth. This is real consolidation!

Further, they have used the well respected Oracle 11g enterprise capable platform to power their Java applications, drive the backend of their middleware platforms, created new value by delivering through the Exadata platform applications to the mobile space (iPads, Androids, Browsers, OS independent applications). 

Indeed, if the Java virtual machine (JVM) is one of the ultimate forms of virtualization, it makes perfect sense that as a business which has elected to use that technology you create the underlying infrastructure AND platform ecosystem to support those efforts at scale.

The Corporate Cloud Strategy can be dramatically refreshed and aligned with the ability to deal with all data needs in a single well managed platform. Exadata provides in this case the ability to deal with all database needs that an organisation has from the smallest to the largest. It provides significant front-end direct value. 

Other Exasystems have started to arrive to deal with specific challenges such as big data and middleware. These use the same magic source of Exadata Database Machine, but are tuned/enhanced for their specific functions. Deep lasting transformation can be achieved and the very nature of these Exasystems means the Business must be included as a principal stakeholder - they can truly see what the value of extracting a business insight means in hard $$ terms!

Look out for these paradigms that directly affect business value and indeed allow new business insight to be gained by easily manipulating petabytes of information in near-realtime! They provide the ability for the business to rapidly come to market with new products, support directly application developers, are built on industry-proven technologies - and best of all - retain the key know-how of your developers and DBAs - they will be up and running with little change to their operational routine!    



The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by Oracle and does not necessarily reflect the views and opinions of Oracle.

The Role of Defragmentation in the Cloud – Releasing trapped value

Imported from published November 21 2010

One of the questions that we get from clients when moving to the Private Cloud is do we still need to do things as we did in the physical world?

Defragmentation of the file systems (FS) within guest operating systems (OS) containerized in a virtual machine (VM) always comes up. From my own enterprise messaging and database background, this was a very important question to get answered upfront. There could be tremendous negative consequences from not doing proper housekeeping and performing defragmentation (either offline or online while service was running). This essentially represents trapped value to the business.

There are many great vendors out there in this VM defragmentation space, for example, Diskeeper’s V-locity2 or Raxco’s PerfectDisk. They make a good case for defragmentation, essentially pointing to the fact that:


1. Many industry sources point to the negative impact of fragmentation


2. Fragmentation increases the time taken to read/write a file


3. Extra system workload resulting from fragmentation


4. Free space consolidation is very important for improving write operations


5. Fragmentation contributes to higher I/O bandwidth needs


6. Resource contention for I/O by VMs


7. VM disks perpetually growing even when deleting data

The fragmentation issue, whether of files or free space, has symptoms analogous to the performance issue VMware identified with misalignment of Guest OS partitions and indeed of VMFS itself. Essentially, much more unnecessary work is being done by the ESX host server and the corresponding storage elements.

The array and vSphere 4.1 features, help reduce the impact of these issues through I/O coalescing and utilizing array cache to get larger sequences of updates bundled – contiguous writing – EMC VMAX can provide 1TByte of cache currently. Multipathing tools such as EMC PowerPath/VE alleviates the increased I/O load through queue balancing and utilizing all paths to the storage array concurrently.

Thin provisioning ensures ‘Just-In-Time’ space allocation to virtual disks. This is heavily enhanced at the array hardware with complementary technologies as EMC's FAST to further optimize storage price/performance economics. This is also changing through the VMware vStorage VAAI such that vSphere is offloading storage to, surprise suprise, storage tiers that simply do the job better.

However, these do not proactively cure fragmentation within the guest OS or indeed at the VMFS level.

Indeed when we start thinking about environments with hundreds of thousands of VMs, such as in desktop virtualization, using VMware Linked Clones, this issue needs to be tackled. Virtual disk compaction represents an important element here to ensure online compaction capability; space reclaimed, and trapped value released.

The ability to use FAST, can support defragmentation scenarios by shifting the workload onto Solid state drives (SSD) for the duration of the high I/O activity. The array will then move the corresponding sub-LUN elements back to the appropriate tier later. Many customers do this with scripts.

Essentially, using Storage vMotion, the VM could be moved to a datastore on high performance disks, and then use the guest OS internal defragmentation tools. Once completed, the VM is storage vMotion’d back to its datastore. Seems easy enough to do for small numbers of machines, but does not scale to Cloud levels - doing this continuously for large VM volumes.

The whole area of scheduling defragmentation cycles, across an entire virtual infrastructure Cloud estate, is also no trivial task. Tools are needed. The current tool generation operate within the Guest OS. VMFS also warrants an examination, although with the ability to utilize 8MB block sizes, there is less fragmentation taking place at the VMDK level – but this is still worlds away from a self-defragmenting file system!

After all, in a busy Cloud environment, the datastores are heavily used. VMs are created and removed. This eventually causes fragmentation. Whether that is an issue for the Cloud environment – well it is still too early to say I believe.

My own view is that some of the best practices regarding defragmentation of the past are still relevant, but need to be updated with the current generation of applications. For example, Exchange 2000/2003 issues are different in scale than in Exchange 2007/2010. It’s the application stack that still counts as that is delivering service to end users. On the other hand, implementing thousands of defragmenting tools in guest OS VMs is also not my idea of fun, and cost may well be prohibitive. Side effects such as large growth in redo log files of any sort when defragmentation takes place also needs to be considered.

I’d like to see VMware create a defragmentation API integrated with the vStorage VAAI APIs for array awareness, much as they have for anti-virus scanning using the VMSafe API. This would allow the defrag engines to hook into the ability of the hypervisor itself and get the array to offload some of these tasks. That would also provide a consistent interface for vendors to design against, and defragmentation can then be a thing of the past - regardless of the guest OS running in the VM. The Cloud should just deal with it, when it is needed!


The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

Windows 7- To Virtualize or not to Virtualize - that is the question!

Imported from published August 21 2010

Whether 'tis nobler to rollout a standard Windows 7 desktop,... OR to take arms against a sea of troubles,
And by virtualizing desktops end them?


Many of the current discussions we at EMC Consulting (Cloud & Virtual Data Center Practice) are having with IT Managers, CIOs, CTOs and Architect/Designers are typically focused on understanding the Cloud notion, its consumption and management models, and of course ‘how to build one Cool. Frequently the ‘what does it mean for us?’ pops up.

Depending with whom you’re speaking the answer will vary in terms of granularity. An administrator asks regarding daily activities, an IT Manager in terms of service delivery and orientation, and the Cxx level is focused more on the realization of sustainable competitive advantage of Business IT amongst other themes.

With the current need to phase out Microsoft Windows XP on the CIO radar, engaging IT resources/personnel for the foreseeable future, and so many other areas of IT strategy still to realize, the move to Microsoft Windows 7 is rather significant. Many are taking the approach of a ‘simple’ desktop operating system (OS) upgrade. There are yet others utilizing the opportunity to replace parts of their desktop estate with long overdue PC/laptop replacements. These strategies are fine if the end result is simply to get rid of Windows XP and come back into the Microsoft ‘circle of trust’. Compounding the situation is the application stack (Ask-not-what-you-can-do-for-your-cloud-but-what-your-cloud-can-do-for-you) - and yet another migration.

Windows 7, different perhaps from the advent of Windows Vista in terms of its timing, comes at a turning point in the IT industry. The desire and interest to move away from traditional models of IT, resource consumption, and device form factors has never been so strong. Indeed the very notion of a desktop operating system is being challenged. We often hear in envisioning workshops this very same thought and if it can be done right now! Not an easy question to answer.

Don't get me wrong here. I am myself an ardent user of Windows 7, coming from Vista (yes I installed that tooEmbarrassed), and of course the venerable XP. The functionality is fine, and Microsoft have done a good job of creating something useful. However, it is not really Windows 7 that I use daily. It is the applications and the browser that I mainly use. Certainly then, the OS could perhaps be a bit leaner - or as some virtualization vendors are doing - practically remove the need of an OS by creating bare-metal desktop hypervisors (Citrix and VMware initially).

Corporate IT Missing A Trick?

Based on the macro movement in the industry, the Cloud tsunami, Everything-as-a-Service and unprecedented levels of connectivity to the Internet, perhaps the idea of rolling out Windows 7 needs to be thought of in a different light.

We have discussed with many organizations embarking on virtual desktops as a part of their desktop estate mix, if Windows 7 should not indeed be treated as an innovation stream. One stream of many that would herald the move to the ‘digital-nirvana’ user workspace end-state (which is of course different for every organization).

By treating Windows 7 as an innovation stream, a collection of features desirable for an organization to possess, we come closer to the idea of Windows7 being a stepping stone on a path. The implication is that constant change will be accompanying the ‘desktop’ estate for all organizations - in that new features can be bundled and released rather than a colossal OS upgrade.

The very term ‘desktop OS’ is starting to look tarnished and is in all probability a complete misnomer these days.

EMC Consulting has a very strong practice supporting the migration to Windows 7, and together with customers, a different product mix is being implemented. Large swathes of virtual desktops hosted in a private cloud are being rolled out, with some use-cases mandating a traditional local install approach in the interim. However, in most cases the applications are being virtualized to ease the move to delivery via Cloud technologies. Some applications have already moved lock-stock-and-barrel to Private/Public Clouds.

How does this pan out with the ‘desktop OS’ developers?

Well. Microsoft itself is planning to refresh desktop OS’s more frequently than in the past (Windows x details were leaked onto the Internet this year). Microsoft itself is starting the move to Cloud offerings in partial/full form through its Azure offerings amongst others to come. Microsoft Exchange Server, long the province of corporate IT, is itself being considered to be ‘handed over’ to Microsoft in the form of Exchange Hosted Services (EHS). This of course leads to the question of whether there are other email/collaboraton technologies that can be used? Microsoft is embracing this sea-change after a fashion. It does not really have a choice anymore!

It looks increasingly as if change is going to be the new norm. Change is good – and the ability to rapidly change and reconfigure resources is a fundamental competitive advantage in an ever more dynamic cyber-verse.

Essentially, the change to an innovation stream starts to focus organizations internally on features and capabilities they value - not which version of a desktop OS they are installing next. The capability set essentially underpinning their varied business needs is identified and pursued.

In the move to the virtual desktop, this starts to yield real benefits in a very lean composed desktop (separated user profiles, applications, base OS). Initially we had the first wave of this in the form of server based computing models simply shipping out a shared Windows desktop surface. This was inflexible and required great operational control to ensure adequate features for all users (e.g. Citrix MetaFrame/Presentation Server/XenApp, Microsoft Terminal Services/RDS). This model still has its place in organizations today.

Virtual desktops in comparison, being wholly independent of other users’ workspaces, allow a greater level of flexibility, allowing users to continue to be productive in traditional ways, innovate and indeed generate new methods of working. This wave seems to be making a home for itself in the Private Cloud. Offerings such as the VBlock support near on 10,000 concurrent virtual desktops. This is unprecedented in a single offering. These desktops can be created for all users in seconds/minutes from scratch, and remain always patched, protected, and available 24 hours/day accessible from anywhere! The level of control from Corporate IT and level of freedom for users is a real boon in management terms.

We are seeing in parallel the rise of ‘Platforms and Applications as-a-service’ models in full swing on the Internet. Indeed it is possible to get a pre-purposed virtual desktop with the latest greatest Windows 7 (or Linux, Apple OS etc.) as a complete remote service.

Extend this further to the application stack above the OS, and we start to see exponential gains in manageability and long-term sustainability in terms of user-experience and operations. This is being felt in the wake of offerings such as This in turn is being extended to corporate applications being built on these platforms. There is choice here with Google, Microsoft, Amazon and others providing similar capabilities. The speed of building new business applications is remarkable in that the time-2-value has shrunk drastically! Good for consumers and definitely good for business!

We haven’t yet talked about how this desktop is consumed. Ever more capable devices are emerging (netbooks, tablets, iPad, iPhone, smart phones etc.) finding captive audiences initially using these virtual desktops for private purposes, and over time morphing to fully-fledged personal productivity assets equally capable of being plugged in at ‘work’!

This brave new world indicates a net movement away from stuffy large desktop OS deployments on the narrow palate of PC/notebook hardware that organizations are typically still working with.

The consumer experience is driving the need for change within organizations. Organizations everywhere are waking to the clamor of their own users wanting a better experience in the digital workplace (after all they can easily afford a better experience as a consumer – so why can’t the firm do it!).

So why is all this important?

Well if innovation is the lifeblood of an organization, then all the available means to ‘spark innovation should be exploited. By reframing the traditional desktop OS deployment approach, an organization may be able to fundamentally change the digital workplace.

There are plenty of examples of companies working to redesign office layouts, use more capable telephony-over-IP, manipulating light and environmental conditions to put the brain ‘in-a-better-state-of-mind'Wink These approaches are working (Back in 2007 this is how things were - Google Headquarter - Amazing Work Place 9/19/07 )! Why would we not do the same for the ‘desktop operating system’?

Thinking about that long term transformation of an organization, every person has at least one good idea in them. The idea may be the one that drives your industry for the next decade. Well is that not worth putting in a little more thought about the Windows 7 migration?

Is it not worth thinking about virtualizatiing your applications? Is it not worth thinking about how the jump to the Cloud will be made for desktops? Does it not make sense to virtualize now to allow some/all of those benefits to stream into an organization?

Some careful thinking now – moving away from the traditional 'administrator/IT group's worldview in ‘rolling out yet another desktop OS & the time is not right for Cloud - there's no other way’, and keeping your eye firmly on the ‘big picture’ will invariably be a sure bet!

Cloud is here today! The desktop is a prime candidate to consider for mass virtualization, and a complete rethink about ‘desktop+applications’ should be on the Corporate IT radar!



BTW - this was written in Germany, connected to a virtual desktop hosted in Ireland, through a home ADSL link, using virtualized applications located someplace in America, and finally posted on the Blog which is does work wellBig Smile!


The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

Mayday, Mayday, Cloud under attack!

Imported from published August 1 2010

In several recent discussions with security groups and agencies within private and public sector, the issue of security has of course come up. There are several facets to security, but the specific issue was regarding ‘breaking out of the hypervisor’ that facilitates virtualization and zero-day attacks. These are certainly points to consider amongst the euphoria surrounding Cloud models.

Cases, such as the Google attack in January 2010, reiterate the need for vigilance in the large scale constructs known as Public Clouds. That Google was able to determine attack vectors and attack surface indicate a high level of skill and diagnostic tool capability. However, note, this was ‘after-during’ the attack, not ‘before’.

One of the reasons that many organizations would like to go Private Cloud, ahead of the expounded benefits of the Public Cloud model, is exactly the sense that their data and systems are secure behind their own perimeter networks. Make no mistake; Public Cloud providers also have perimeter networks, firewalls and DMZs (demilitarized zones) as thick as picket fences around their infrastructure. Nonetheless, much of this is rendered useless, or at least of limited value, when an innocuous eMail or PDF document is sent to a user, who unwittingly unleashes ‘the Mother of all Malware!’.

These types of attacks can subvert the ‘goodness’ of the Cloud to absolutely insidious uses – imagine millions of systems in a Cloud Provider environment attacked, subverted, and then infiltrating other Clouds and consumer PCs – a veritable storm of trouble!

It is important to note that the attacks themselves are not always sophisticated attacks, but with the use of techniques commonly used to protect environments and data, such as encryption, malware/botnets can also start to cover their traces and make themselves ‘protected’. Panda Labs has the Mariposa-botnet analysis example of non-sophisticated but effective botnet activity. It is difficult to differentiate a program as being good or bad upon sighting aloe. A botnet can also be a benign entity in the form of a distributed program running across many different systems.

So what is happening in the Cloud to protect against such attacks?

Well actually, a lot of investment and research is going into precisely preventing or at least limiting the reach of these attacks. RSA, an EMC division, has its enVision suite that automates security event analysis and remediation across large networks. The ability to ‘perform parallel processing, correlation and analysis’ allows the security framework itself to use in parallel the same Cloud resources that are potentially under attack.

It should be clear that only software/hardware enhanced programs running on this mega scale allow us to proactively manage the environment from a security and risk perspective. The RSA enVision flyer says it all. The ability to analyse and draw in ‘tens of thousands of device log' entries in near real-time is an ability of paramount importance. To this is added the ability to use policies and advanced heuristics to determine ‘suspicious’ behavior.

There are other products and vendors out there offering functionality targeted at finding the proverbial ‘needle-in-a-haystack’ that points to an attack, and being able to lock this down asap. Network providers such as Cisco are offering network level awareness of attacks, and literally locking down the attacks ability to use the network to propagate. Cisco calls this MARS, the Cisco security monitoring, analysis, reporting system. Again, a very powerful tool that is integrated at all levels of the computing environment.

Effectively, even if a hypervisor has been compromised, the network itself would be able to potentially lock-out that node from the entire network. This blocks the ability to propagate the botnet/malware further. VMware, Microsoft, Citrix, Novell, RedHat, Oracle together with the myriad other hypervisor manufacturers are actually pretty careful to ensure that their code is rock solid. The fact that the dedicated hypervisors actually are focused on just the activity of providing virtualization means that they can be well locked down. There are many additional best practices to further harden the systems that are published.

VMware provides the VMsafe interfaces that allow virus scanning engines to interface to the hypervisor itself and prevent infection before reaching the virtual machine itself. Large scale protection paradigms are now beginning to materialize. This agent-free approach starts to link into the policy based engines that drive the clouds of today, such that new protection schemes, rules and filters can be applied literally across thousands of machines to stop zero-day attacks from gaining any form of ascendancy in the Cloud infrastructure.

The use of software firewalls that can actually process huge amounts of information with the increasing core density in the underlying infrastructure (‘Multi-Core Gymnastics in a Cloud World’) allow virtual machines to be protected on a per VM basis. This actually provides higher protection than in the physical constructs they replace. Policy driven engines can update firewall rules across millions of virtual machines in a very short space of time.

Other operating system enhancements, silicon-enabled security baked into the chip, protocol enhancements in IPv6, wide spread easily accessible encryption are paving the way for a myriad of ways to protect systems, the data, unauthorized access and detailed audit trails (privacy is still an issue here) to follow attacks to their source.

In conclusion, there are many existing and new technologies being integrated directly into the fabric of virtualization. This in turn is making the ability of security analysts in pinpointing and locking down attach vectors en masse far more efficient.

The best thing of all is the unprecedented level of integration into the hypervisor itself that allows these multi-layered defense mechanisms to be easily deployed and managed. So yes, Clouds can be safe to conduct business – but caution still needs to be applied. A lot of good common sense and expertise built up in organizations over time is still valid. However, good procedures, design, implementation and operations are still keystones of safety.

The Cloud paradigm itself is finding ways of protecting itself. The side-effects of cloud usage are themselves of benefit. With the move to virtual desktop and servers, the ability for an organization to patch its systems frequently without scheduling changes over months, has allowed one of the principal attack vectors, the compromised PC, to be protected.

That protection is gradually shifting down to the physical PCs in the form of free virus scanners (better than none at all – yes that still exists;-) reduced application software footprint and the use of SaaS offerings with frequently updated protection filters is slowing down the spread of infection.

The Cloud paradigm, and the evolving security eco-system, indicates large scale infrastructure can protect itself. The Private Cloud still prevents a very strong case for privacy, security and compliance as it is felt to be inherently secure. Clouds still need to be able to protect themselves and other Clouds at the same time. This stops/slows the movement of infection/malware until appropriate identification and removal countermeasures can be deployed. Get your feet wet in the Private Cloud first, security-wise, and then consider the Public Cloud. This is a perfectly valid Journey-Route to the Cloud!


The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.

All Roads Lead to the Cloud - Cloud Automation

Imported from published Apr 25 2010


There has been and continues to be a huge amount of material generated regarding the 'Cloud'. There are many definitions ( and I am not going to repeat them here. As part of EMC Consulting, we see many different approaches from clients on how to reach the characteristic functions of the cloud. There tends to be a lot of focus currently on the theme of 'control' within the cloud.


As I mentioned in my last blog, the folks that have been certified in virtualization products (in the mainstream VMware, Citrix or Microsoft certifications....and there are others of course) tend to start using the main management consoles provided with the virtualization solution or a 3rd party product that has integrated API functionality used for management of all/part of the computing real estate. This is a bottom-up approach and works reasonably well. There are other more programmatic approaches, in the sense of an overlay to the computing resources being created. A portal-style application is used to capture service instructions and process them. This is a middle up-down approach focused on the existing IT landscape.


However, what strikes me as being of significance is that there are many roads leading to the cloud, and that it is perhaps necessary to understand that many of those journeys are mandated by the current contingencies operating within different organizations. The unique mix of market needs, skills and the configuration within an organization tend to lend shape to the transformation approach leading to the cloud. Interestingly, these initial forays into this domain provide significant learning experiences for organizations, ultimately allowing them to determine which cloud configuration will best support their business ambitions. This is also true of organizations operating within the same market - they all take a different internal approach to building out their clouds.


However, when an organization has been tasked with creating the necessary capabilities allowing cloud transformations to take place on very large scales, then some upfront thought is definitely going to pay off. In the race for product sets providing panaceas to cloud control, some of the good 'ole fashioned computing management lessons learned over the last 30-40 years tend to be pushed out of scope, although they may well still be relevant.


One of the areas that I was reminded of the other day in discussion with some vendors and clients was how to control the various activities within the cloud - once it is actually thereWink I was struck by the incredible complexity and simplicity of this statement. Back in the early 80s I used to work on IBM mainframes, and many of the characteristics of the cloud that we see had some of their early, and arguably from a GUI perspectiveSurprise, primitive beginnings. I recall that job scheduling was a big thing at that time! There were literally thousands of activities taking place in the background that nobody was aware of, and they kept the business running.


In a cloud, once the infrastructure levels are instantiated, and the virtual compute resources have been apportioned to specific guest operating systems within a virtual machine container (yes - I know there are other ways of giving resources in the cloud - just taking this one as an example as most organizations are familiar with this) - the fun really starts. So let's take this further. We have suddenly 10,000 virtual machines running server operating systems, and another, say, 100,000 virtual desktops running in our cloud. Great stuff - well done folks!Cool


Well, as most administrators and IT shops know, the work is just starting. There are all the activities regarding data backup, replication of data, servicing restores, rolling out anti-virus updates, controlling the flow of agents within each of those machines (e.g. update programs running on desktops offering to update the Adobe Acrobats of this world, and indeed the operating system itself all directed at a limited number of source machines), patching and the list goes on and on.


There are many ways to deal with these types of activities, but ultimately they come back to some form of console where these unique events are scheduled. For example, typically backups are grouped, scheduled and hopefully executed. Reporting on an exception basis focuses the administrator on potentially re-running some of the failed backups. This could be partially automated using semi-automatic event-driven intelligence - where specific alerts generate specific actions - that are then triggered and managed - much like a scheduled job.


As you can see, some of the typical stuff that IT shops have been doing over the years are still relevant. Don't get me wrong here; there are other ways of doing things. Indeed the paradigm of data protection through backup has seen substantial revision in the last years with the widespread use of disk media technologies. However, the reality at IT shops is still to have control and accountability of the backup process. Control is a very important part of IT Service Delivery displines in the sense of reporting to your business service clients (internally or externally) that you are doing what they are perhaps purchasing as a service, and that the service is running 'just fine!'Big Smile


The point here is that the need for massively scalable job scheduling in the cloud providing event/schedule driven activity intelligence is definitely still there. IT operations would have a very difficult job of actually being able to control the potentially millions of operational activities that need to take place daily. Ensuring for example that all virtual machines are backed up, and providing the reporting data to management with a breakdown per business unit, utilizing cost and performance dimensions is potentially a 'job' that would need to be run at a certain time. This stuff does not just happen on its own automagically!


I was speaking about this theme with a particular vendor UC4 (you can find these folks at and there are others in the market of course - but the beer was very good in Belgium of course - thanks Lennaert De JongWink and we were discussing the backup 'job' when there are potentially hundreds of thousands/millions of clients. Never mind that the technological way of realizing this would probably differ vastly from the traditional backup program approach of streaming to storage medium. The task itself was still there. In such a large cloud environment, I realized that the all the tricks of the datacenters, ICT shops and service providers still apply - with some significant modifications needed.


However, the sheer scale under discussion requires the effective means of control - this is absolutely essential. Think about it - patching a million virtual machines in the cloud that require a critical patch may not allow the luxury of rolling out the patch (hopefully regression tested first please) in small groups of machines, verifying if that is ok, and then rolling out to larger and larger groups.


The patch in question may be against a particularly virulent viral infection. There may well be twists and turns in the logic such as' patch-if ok reboot- if not ok bring back a previous image of the machine - patch again - if still failing power off virtual machine and call your nearest IT Virus Buster through an alerting mechanism'. The poor IT administrator may potentially get thousands or millions of alerts in this way. Basically, the IT operation could be swampedAngry.


It definitely pays dividends for organizations embarking on the cloud transformation to ensure their IT house has been brought in order to handle massive numbers of parallel events. Even simple activities that currently take place in organization such as file transfers can on this scale become a seriously complex issue when things start to go wrong.


So scale as well as preparing for things going wrong and mapping these to some of those traditional ICT management skills will certainly help to move further on the cloud journey. Go on, don't be afraid to dust off some of that 'old' knowledge and get it working again for the cloudSmile





The opinions expressed here are my personal opinions. Content published here is not read or approved in advance by EMC and does not necessarily reflect the views and opinions of EMC.