NetWorker Blog

Commentary from a long term NetWorker consultant and Backup Theorist

  • This blog has moved!

    This blog has now moved to nsrd.info/blog. Please jump across to the new site for the latest articles (and all old archived articles).
  •  


     


     

  • Enterprise Systems Backup and Recovery

    If you find this blog interesting, and either have an interest in or work in data protection/backup and recovery environments, you should check out my book, Enterprise Systems Backup and Recovery: A Corporate Insurance Policy. Designed for system administrators and managers alike, it focuses on features, policies, procedures and the human element to ensuring that your company has a suitable and working backup system rather than just a bunch of copies made by unrelated software, hardware and processes.
  • This blog has moved!

    This blog has now moved to nsrd.info/blog. Please jump across to the new site for the latest articles (and all old archived articles).
  •  


     


     

  • Twitter

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Posts Tagged ‘cloud computing’

Can you trust Azure?

Posted by Preston on 2009-11-18

So The Register has a story about how Microsoft is edging closer to delivering it’s cloud based system, Azure.

It seems inept that through the entire article, there wasn’t a single mention of the Sidekick Debacle. As you may remember, that debacle was sponsored by ‘Danger’, a Microsoft subsidiary. If you think Microsoft weren’t involved because Danger was a subsidiary, think again.

If we can learn anything from this, it’s that too many people like to close one eye and half shut the other one to make sure they don’t see all those dark and dangerous storm clouds racing around their silver linings.

Based on Microsoft’s track record, I wouldn’t trust Azure for a minute with a KB of my data even if they were paying me. Not until there’s an industry-wide alliance for certifying cloud based solutions and ensuring vendors actually treat customer data as if it were their own most sensitive and important data. Not until Microsoft are a gold member of that alliance and have come out of their first two audits with shining covers.

Until then when it comes to Azure, all I see are dark Clouds with no silver linings.

Posted in Aside, General Technology, General thoughts | Tagged: , , | 2 Comments »

Google service and accountability in The Cloud

Posted by Preston on 2009-11-02

Over at The Register, there’s a story, “Gmail users howl over Halloween Outage“. As readers may remember, I discussed in The Scandalous Truth about Clouds that there needs to be significant improvements in the realm of visibility and accountability from Cloud vendors if it is to achieve any form of significant trust.

The fact that there was a Gmail outage for some users wasn’t what caught my attention in this article – it seems that there’s almost always some users who are experiencing problems with Google Mail. What really got my goat was this quote:

Some of the affected users say they’re actually paying to use the service. And one user says that although he represents an organization with a premier account – complete with a phone support option – no one is answering Google’s support line. Indeed, our call to Google’s support line indicates the company does not answer the phone after business hours. But the support does invite you leave a message and provide an account pin number. Google advertises 24/7 phone support for premier accounts, which cost about $50 per user per year.

Do No Evil, huh, Google? What would you call unstaffed 24×7 support line for people who pay for 24×7 support?

It’s time for the cloud hype to be replaced by some cold hard reality checks: big corporates, no matter “how nice” they claim to be, will as a matter of indifference trample on individual end-users time and time again. Cloud is all about big corporates and individual end users. If we don’t get some industry regulation/certification/compliance soon, then as people continue to buy into the cloud hype, we’re going to keep seeing stories of data loss and data unavailability – and the frequency will continue to increase.

Shame Google, shame.

Posted in General Technology | Tagged: , , , | Comments Off

The scandalous truth about Clouds

Posted by Preston on 2009-10-17

Your cloud based data may be hanging by a thread and you wouldn’t even know.

Clouds: Is your data hanging by a thread?

Introduction

The recent Sidekick debacle proved one thing: it’s insufficient to “just trust” companies that are currently offering cloud based services. Instead, industry standards and regulations must be developed to permit use of the term.

I’ll be blunt: as per previous articles here, I don’t believe in “The Cloud” as a fundamental paradigm shift. I see it as a way of charging more for delivering the same thing for private clouds, and (as exemplified by Sidekick), something which may be fundamentally unreliable as a sole repository of data in the public instance.

Regardless of that however, it’s clear that the “cloud” moniker will be around for a while, and businesses will continue to trade on being providing “cloud” services (and thus being buzzword compliant). So, like it or lump it, we need to come up with some rules.

Recently SNIA has started an initiative to try to setup some standards for Cloud based activities. However, as is SNIAs right, and their focus, this primarily looks at data management, which is less than half of the equation for public cloud services. The lions share of the equation for public cloud services, as proven by the Sidekick debacle is trust.

Currently the cloud computing industry is like the wild west. Lots of people are running around promising fabulous new things that can solve any number of problems. But when those fabulous new things fail or fall over even temporarily, a lot of people can be negatively affected.

How can people trust that their cloud data is safe? Regulation is a good starting point.

If you are one of those people who at the first hint of the word regulation throws up your hands and says “that’s too much government intervention”, then I’d invite you to stop and think for a few minutes about the global financial crisis. If you’re one of those people who insists “industries should be self regulating”, I’d invite you to look at a certain Microsoft subsidiary called Danger that was offering a service called Sidekick. In short, self regulation doesn’t work without rigid transparency.

So, what needs to be done?

Well, there’s three key factors that need to be addressed in order to achieve true and transparent trust within cloud based businesses. These are:

  • Foundation of ethical principles of operation
  • Periodic certified (mandatory) audit process
  • Reporting

Let’s look at each of these individually.

Ethical Principles of Operation

Whenever I start thinking about ethics in IT, I think of two different yet equally applicable sayings:

  • Common sense is not that common (usually incorrectly attributed to Voltaire)
  • When you assume you make an ass out of u and me. (Unknown source.)

Extending beyond the notion of “cloud”, we can say that companies should strive to understand the ethical requirements of data hosting, so as to ensure that whenever they hold data for and on behalf of another company or individual they:

  1. At all times aim to keep the data available within the stated availability times/percentages.
  2. At all times ensure the data is recoverable.
  3. At all times be prepared to handover said data on request/on termination of services.

These should be self evident in that if the situation were reversed we would expect the same thing. Companies that offer cloud services should work such ethical goals into their mission requirements and individual goals of every individual employee. (If the company offers cloud application services as well as just data services, the same applies.)

Mandatory, Periodic, Independently Certified Auditing of Compliance

In a perfect world, ethics alone would be sufficient to garner trust. However, as we all know, we need more than ethics in order to generate trust. Trust will primarily come from mandatory periodic independently certified auditing of compliance to ethical principles of cloud data storage.

What does this mean?

So let’s look at each word in that statement to understand what company* should have to do in order to offer “cloud” data/services:

  • mandatory – it must, in order to keep referring to itself as “cloud”
  • periodic – every 6-12 months (more likely every 12 months – 6 would be preferable in the fast moving world of the internet however)
  • independently – to be done by companies or consultants who do not have any affiliation that would cause a conflict of interest
  • certified auditing – said companies or consultants doing the auditing must have certification from SNIA for following appropriate practices
  • compliance – if found to be non-compliant, SNIA (or some other designated agency) must post a warning on their web-site within 1 month of the audit, and the company be given 3 months to rectify the issue. If after 3 months they have not, then SNIA should flag them as non-compliant. This should also result in the company taking down any reference to “cloud”.

Obviously unless legally enforced, a company could choose to sidestep the entire compliancy check and just declare themselves to be cloud services regardless. Therefore there must be a “Known Compliant” list kept up to date, country-by-country, that would be advertised not only by SNIA but by actual cloud-compliant companies which partake in the process, so that end-users and businesses could reference this to determine who have exhibited certified levels of trust.

In order to achieve that certification, companies would need to be able to demonstrate to the auditor that they have:

  • Designed their systems for sufficient redundancy
  • Designed adequate backup and per-customer data recoverability options (see note below)
  • Have disaster recovery/contingency planning in place
  • Have appropriate change controls to manage updates to infrastructure or services

Note/Aside regarding adequate backup and per-customer data recoverability options. Currently this is an entirely laughable and inappropriate state. If companies wish to offer cloud based data services, and encourage users to store their data within their environment, they must also offer backup/recovery services for that data. They may choose to make this a “local-sync” style option – keeping a replica of the cloud-data in a designated local machine for the user, or, if not done this way, they must offer a minimum level of data recoverability service to their users. For example, something even as basic as “Any file stored in our service for more than 24 hours will be recoverable for 6 weeks from time of storage.” I.e., it doesn’t necessarily have to be the same level of data recovery we expect from private enterprise networks, but it must be something.

It would be easy and entirely inappropriate to say instead of all this auditing that companies must simply publish all the above information. However, that represents a potential data security issue, and it also potentially gives away business-sensitive information, so I’m firmly against that idea. The only workable alternative to that however is the certified auditing process.

Reporting

Currently there is far too cavalier an approach to reporting by cloud vendors about the state of their systems. Reporting must be publicly available, fulfilling the following categories:

  1. Compliancy – companies should ensure that any statement of compliancy is up to date.
  2. Availability – companies should keep their availability percentile (e.g., “99.9% available”) publicly available in the way that many primary industries for instance publish their “days without an injury” statistics.
  3. Failures – companies must publish failure status reports/incident updates at minimum every half an hour, starting from the time of the incident and finishing after the incident is resolved. It’s important for cloud vendors to start to realise that their products may be used by anyone else in the world, so it’s not sufficient to just wake IT staff on an incident, management or other staff must be available to ensure that updates continue to be generated without requiring IT staff to stop working on resolution. I.e., round-the-clock services require round-the-clock reporting.
  4. Incident reports – all incidents that result in unavailability should have a report generated on which will be reviewed by the auditor on the next compliancy check.

In conclusion

Does this sound like a lot of work? Well, yes.

It’s all too easy for those of us in IT to take a cavalier attitude towards user data – they should know how to backup, they should understand the risks, they should … well, you get the picture. Yes, there’s a certain level of education we would like to see in end users, but think of the flip-side. They’re not IT people. They don’t necessarily think like IT people. For the most part, they’ve been trained not to think about backup and data protection because it’s not something that’s been pushed home within the operating systems they’re using. (A trend that seems to be readily reversing in Mac OS X thanks to Time Machine.)

Ultimately, cloud failures can’t be palmed off with trite statements that users should have kept local copies of their data. Cloud services are being marketed and promoted as “data available anywhere” style systems, which creates an expectation of protection and availability.

So in short, while this is potentially a lot of work to setup, it’s necessary. It should be considered to be a moral imperative. In order to actually garner trust, the current wild-west approach to Clouds must be reined in and be given certified processes that enable users (or at least trusted IT advisers of users) to confidently point at a service and say: “that’s been independently checked: it’s trustworthy“.

Anything short of this would be a scandalous statement about deniability, legal weaseling out of responsibility and a “screw you” attitude towards end-user data.


* Obviously some individuals, moving forward, may in various ways choose to offer cloud access. Due to hosting and bandwidth, it’s likely in most instances that such access would be as a virtual private cloud – a cloud that’s “out there” in internet land, but is available only to select users. As such, it would fall into the realm of private clouds, which will undoubtedly have a do whatever the hell you feel like doing approach. However, in the event of individuals rather than corporates specifically offering full public-cloud style access to data, there should be a moniker for “uncertified” individual cloud offerings – available only to individuals; never to corporates.

Posted in Backup theory, Data loss, General Technology, General thoughts | Tagged: , , , , | 1 Comment »

Larry Ellison vs The Cloud

Posted by Preston on 2009-10-04

This article came out on the 26th of September (US time), but since that was my birthday (27th, AU time), I feel justified in not noticing it straight away. I was otherwise occupied that day.

Nevertheless, CNET’s coverage of Larry Ellison on the cloud is worth a read. As periodic readers would notice, I don’t have a lot of time for the “cloud” concept; for the most part I equate it to The Emperor’s New Clothes. In fact, there’s a few distinctly different reasons why I dislike the cloud:

  • A lot of the hype resembles The Network Computer, previously espoused by Sun and chased as a dream that helped see them end up where they are today.
  • A lot of the remaining hype resembles things that we already to do. “Private cloud” is the biggest rip-off term I’ve ever heard in my life – vendors want to sell you private cloud computing? Unfortunately if you stick that “private cloud computing” label on “datacentre” all you’re going to do is add 20 – 50% for the cost for Buzzword Compliance.
  • The remaining hype seems to be about encouraging businesses to do things less safely. (As an example…) Sure, put all your business email and documents in Google. That never goes down.

The more I read about The Cloud, the more I’m convinced it’s The Next Buzzword. One thing I am certain of though is that Larry Ellison nails the cloud with the following quote:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything else that isn’t cloud computing with all these announcements.”

In other words, people who want to be sucked in to pay an extra 30% for things they can already do within their private infrastructure, or want to push more and more of their infrastructure onto third parties whom they have little to no control over deserve all they get.

Posted in Aside | Tagged: , , | Comments Off

Cloud Computing vs The Network Computer

Posted by Preston on 2009-08-21

Or, I can’t see the emperor’s new clothes…

More than a decade ago, Sun bet its future on The Network Computer. We were supposed to see a fundamental shift in computing away from powerful local desktops to powerful centralised servers, with desktops being little more than multimedia capable terminals. The obvious advantage to this was that it would enable you to transfer your session to wherever you wanted in the world, just by unplugging your session identity from one terminal and plugging it into another.

Indeed, I had direct experience with this, since the previous company I worked for bought into this “session goes with you” mentality and invested in a bunch of Sun Ray terminals. And indeed, you could yank your session card out of one Sun Ray and shove it into another Sun Ray without any loss of data or session state.

Sun bet its future on The Network Computer and it lost. It’s now in the process of being subsumed by Oracle, who by all accounts were very disinterested in the hardware side of the business and would have preferred to have just got a hold of selective chunks of the software business. Of course, there were more reasons for the failure of Sun than the Network Computer, but let’s be brutally frank – that hysterical monoculture being proposed was at the core of Sun’s direction for far too long; it distracted Sun from their true core capabilities (server and operating systems), and by the time they started to correct the course, the rot had already set in.

In the end, people didn’t buy into the Network Computer. More importantly, IT departments didn’t buy into the Network Computer. Why? Conspiracy theorists would have us believe that Microsoft somehow ‘tricked’ the industry into heading in the wrong direction. Much as I prefer to avoid Microsoft solutions wherever possible, even I’m not so blinkered to either (a) lay the blame at Microsoft’s feet, or indeed (b) lay the blame at anyone else’s feet. It wasn’t because Microsoft somehow convinced the world that Network Computing was wrong, it was because the world knew that Network Computing was wrong. IT departments knew that Network Computing was wrong – and still, to do this day, know that Network Computing is wrong.

People voted against NC because they wanted the speedy and zippy response that can only be had by sufficiently powerful desktop machines.

Now, let’s consider the main differences between NC and cloud computing, shall we?

NC is:

  1. Keeping processing with the servers.
  2. Keeping storage with the servers.
  3. Keeping desktop state with the servers.
  4. Allowing “anywhere” (that is network accessible) access to the desktop state.

Cloud computing is:

  1. Keeping processing (or just data) with the servers.
  2. Keeping storage away from the desktop.
  3. Allowing “anywhere” (that is network/internet accessible) access to the processing (or just the data).

So let me ask you this. If the world voted against NC because it was a fundamentally flawed model that pushed all processing to the back-end and left the desktop as some abhorrently useless piece of parts without the presence of the back-end, what makes everyone on the Cloud Computing bandwagon think its going to be any different? (Indeed, studies such as this would suggest that cloud computing advocates have a very rocky road ahead for them.)

A large part of the rebellion against NC was that performance was just never good enough. That was with (for companies that deployed NCs) processing and storage being done on the LAN, but just not locally to the desktop. If that was seen as a bottleneck, how can the first line of data access in the cloud – i.e., on the internet and subject to internet level speeds – be seen as anything other than a bottleneck?

There’s an argument that cloud computing is simply the (inevitable) commoditisation of IT; rather than every business needing local IT infrastructure, they’ll just rent processing and storage capacity from specialist cloud based computing services. To me this is yet to wash true – it just sounds like NC++*.

If this were all that cloud computing had to refute, it might be able to mount compelling arguments for a systemic migration of IT processes to the cloud. But that’s not the only issue at hand with cloud computing. You see, in addition to being NC++, cloud computing has to contend with a plethora of other issues, covering privacy, data protection, transfer of services, cost of bandwidth and provisionor viability**.

If the various vendor bloggers and industry commentators want to convince the world that cloud computing is the way of the future and not NC++, they need to understand that they have a long hard road ahead of them.

Come to think of it, I can’t even hear the emperor’s new clothes rustle as he walks past.

If you think there’s a good reason why Cloud Computing isn’t just NC++, let me know. Whenever people start talking cloud computing I feel like someone who doesn’t get a joke while everyone else is laughing … clearly there’s something to be excited about, but, …, I don’t get it.


* For readers who don’t know C, C++, Perl, etc., languages and their derivatives; “++” means “add one” in these languages; hence, NC++ = “Network Computing Plus 1″. (Or, “the next iteration of network computing”.)

** I acknowledge, I use Mozy, an online backup system for certain personal backups, but I always have other access strategies – i.e., it’s a 100% last resort. There is a significant realm of difference between targeted personal cloud use and business cloud use.

Posted in Aside | Tagged: , , , | 4 Comments »

 
Follow

Get every new post delivered to your Inbox.