NetWorker Blog

Commentary from a long term NetWorker consultant and Backup Theorist

  • This blog has moved!

    This blog has now moved to nsrd.info/blog. Please jump across to the new site for the latest articles (and all old archived articles).
  •  


     


     

  • Enterprise Systems Backup and Recovery

    If you find this blog interesting, and either have an interest in or work in data protection/backup and recovery environments, you should check out my book, Enterprise Systems Backup and Recovery: A Corporate Insurance Policy. Designed for system administrators and managers alike, it focuses on features, policies, procedures and the human element to ensuring that your company has a suitable and working backup system rather than just a bunch of copies made by unrelated software, hardware and processes.
  • This blog has moved!

    This blog has now moved to nsrd.info/blog. Please jump across to the new site for the latest articles (and all old archived articles).
  •  


     


     

  • Twitter

    Error: Twitter did not respond. Please wait a few minutes and refresh this page.

Posts Tagged ‘cloud’

Introducing my new blog

Posted by Preston on 2009-11-28

As frequent visitors to my blog will know, I don’t buy into all the Cloud Hype that threatens to overwhelm the technology industry at the moment. While I’ve periodically written about the Cloud on this blog when something particularly unsettling has come up, I’ve decided that it’s time to fire up a new blog dedicated to providing an alternative view on Cloud Computing.

So, over at my new blog, you’ll find ongoing commentary about Cloud Computing that will be refreshingly free of the hype that we so often find ourselves exposed to on a daily basis.

I will strive to be as honest as possible, will willingly point out anything being done in Cloud initiatives that is fresh and new, and will be open to people trying to convince me that I’m wrong.

I’m a backup consultant. I don’t go for bleeding edge for the sake of it, I don’t buy into hype, and I don’t recommend or accept anything that jeopardises user data.

So, without further adieu, please feel free to visit I Am The Anti-Cloud.

(Moving forward, unless something significantly overlaps NetWorker and The Cloud, I’ll not be posting about the Cloud on this blog.)

Posted in General Technology, General thoughts | Tagged: | Comments Off

Can you trust Azure?

Posted by Preston on 2009-11-18

So The Register has a story about how Microsoft is edging closer to delivering it’s cloud based system, Azure.

It seems inept that through the entire article, there wasn’t a single mention of the Sidekick Debacle. As you may remember, that debacle was sponsored by ‘Danger’, a Microsoft subsidiary. If you think Microsoft weren’t involved because Danger was a subsidiary, think again.

If we can learn anything from this, it’s that too many people like to close one eye and half shut the other one to make sure they don’t see all those dark and dangerous storm clouds racing around their silver linings.

Based on Microsoft’s track record, I wouldn’t trust Azure for a minute with a KB of my data even if they were paying me. Not until there’s an industry-wide alliance for certifying cloud based solutions and ensuring vendors actually treat customer data as if it were their own most sensitive and important data. Not until Microsoft are a gold member of that alliance and have come out of their first two audits with shining covers.

Until then when it comes to Azure, all I see are dark Clouds with no silver linings.

Posted in Aside, General Technology, General thoughts | Tagged: , , | 2 Comments »

Google service and accountability in The Cloud

Posted by Preston on 2009-11-02

Over at The Register, there’s a story, “Gmail users howl over Halloween Outage“. As readers may remember, I discussed in The Scandalous Truth about Clouds that there needs to be significant improvements in the realm of visibility and accountability from Cloud vendors if it is to achieve any form of significant trust.

The fact that there was a Gmail outage for some users wasn’t what caught my attention in this article – it seems that there’s almost always some users who are experiencing problems with Google Mail. What really got my goat was this quote:

Some of the affected users say they’re actually paying to use the service. And one user says that although he represents an organization with a premier account – complete with a phone support option – no one is answering Google’s support line. Indeed, our call to Google’s support line indicates the company does not answer the phone after business hours. But the support does invite you leave a message and provide an account pin number. Google advertises 24/7 phone support for premier accounts, which cost about $50 per user per year.

Do No Evil, huh, Google? What would you call unstaffed 24×7 support line for people who pay for 24×7 support?

It’s time for the cloud hype to be replaced by some cold hard reality checks: big corporates, no matter “how nice” they claim to be, will as a matter of indifference trample on individual end-users time and time again. Cloud is all about big corporates and individual end users. If we don’t get some industry regulation/certification/compliance soon, then as people continue to buy into the cloud hype, we’re going to keep seeing stories of data loss and data unavailability – and the frequency will continue to increase.

Shame Google, shame.

Posted in General Technology | Tagged: , , , | Comments Off

The scandalous truth about Clouds

Posted by Preston on 2009-10-17

Your cloud based data may be hanging by a thread and you wouldn’t even know.

Clouds: Is your data hanging by a thread?

Introduction

The recent Sidekick debacle proved one thing: it’s insufficient to “just trust” companies that are currently offering cloud based services. Instead, industry standards and regulations must be developed to permit use of the term.

I’ll be blunt: as per previous articles here, I don’t believe in “The Cloud” as a fundamental paradigm shift. I see it as a way of charging more for delivering the same thing for private clouds, and (as exemplified by Sidekick), something which may be fundamentally unreliable as a sole repository of data in the public instance.

Regardless of that however, it’s clear that the “cloud” moniker will be around for a while, and businesses will continue to trade on being providing “cloud” services (and thus being buzzword compliant). So, like it or lump it, we need to come up with some rules.

Recently SNIA has started an initiative to try to setup some standards for Cloud based activities. However, as is SNIAs right, and their focus, this primarily looks at data management, which is less than half of the equation for public cloud services. The lions share of the equation for public cloud services, as proven by the Sidekick debacle is trust.

Currently the cloud computing industry is like the wild west. Lots of people are running around promising fabulous new things that can solve any number of problems. But when those fabulous new things fail or fall over even temporarily, a lot of people can be negatively affected.

How can people trust that their cloud data is safe? Regulation is a good starting point.

If you are one of those people who at the first hint of the word regulation throws up your hands and says “that’s too much government intervention”, then I’d invite you to stop and think for a few minutes about the global financial crisis. If you’re one of those people who insists “industries should be self regulating”, I’d invite you to look at a certain Microsoft subsidiary called Danger that was offering a service called Sidekick. In short, self regulation doesn’t work without rigid transparency.

So, what needs to be done?

Well, there’s three key factors that need to be addressed in order to achieve true and transparent trust within cloud based businesses. These are:

  • Foundation of ethical principles of operation
  • Periodic certified (mandatory) audit process
  • Reporting

Let’s look at each of these individually.

Ethical Principles of Operation

Whenever I start thinking about ethics in IT, I think of two different yet equally applicable sayings:

  • Common sense is not that common (usually incorrectly attributed to Voltaire)
  • When you assume you make an ass out of u and me. (Unknown source.)

Extending beyond the notion of “cloud”, we can say that companies should strive to understand the ethical requirements of data hosting, so as to ensure that whenever they hold data for and on behalf of another company or individual they:

  1. At all times aim to keep the data available within the stated availability times/percentages.
  2. At all times ensure the data is recoverable.
  3. At all times be prepared to handover said data on request/on termination of services.

These should be self evident in that if the situation were reversed we would expect the same thing. Companies that offer cloud services should work such ethical goals into their mission requirements and individual goals of every individual employee. (If the company offers cloud application services as well as just data services, the same applies.)

Mandatory, Periodic, Independently Certified Auditing of Compliance

In a perfect world, ethics alone would be sufficient to garner trust. However, as we all know, we need more than ethics in order to generate trust. Trust will primarily come from mandatory periodic independently certified auditing of compliance to ethical principles of cloud data storage.

What does this mean?

So let’s look at each word in that statement to understand what company* should have to do in order to offer “cloud” data/services:

  • mandatory – it must, in order to keep referring to itself as “cloud”
  • periodic – every 6-12 months (more likely every 12 months – 6 would be preferable in the fast moving world of the internet however)
  • independently – to be done by companies or consultants who do not have any affiliation that would cause a conflict of interest
  • certified auditing – said companies or consultants doing the auditing must have certification from SNIA for following appropriate practices
  • compliance – if found to be non-compliant, SNIA (or some other designated agency) must post a warning on their web-site within 1 month of the audit, and the company be given 3 months to rectify the issue. If after 3 months they have not, then SNIA should flag them as non-compliant. This should also result in the company taking down any reference to “cloud”.

Obviously unless legally enforced, a company could choose to sidestep the entire compliancy check and just declare themselves to be cloud services regardless. Therefore there must be a “Known Compliant” list kept up to date, country-by-country, that would be advertised not only by SNIA but by actual cloud-compliant companies which partake in the process, so that end-users and businesses could reference this to determine who have exhibited certified levels of trust.

In order to achieve that certification, companies would need to be able to demonstrate to the auditor that they have:

  • Designed their systems for sufficient redundancy
  • Designed adequate backup and per-customer data recoverability options (see note below)
  • Have disaster recovery/contingency planning in place
  • Have appropriate change controls to manage updates to infrastructure or services

Note/Aside regarding adequate backup and per-customer data recoverability options. Currently this is an entirely laughable and inappropriate state. If companies wish to offer cloud based data services, and encourage users to store their data within their environment, they must also offer backup/recovery services for that data. They may choose to make this a “local-sync” style option – keeping a replica of the cloud-data in a designated local machine for the user, or, if not done this way, they must offer a minimum level of data recoverability service to their users. For example, something even as basic as “Any file stored in our service for more than 24 hours will be recoverable for 6 weeks from time of storage.” I.e., it doesn’t necessarily have to be the same level of data recovery we expect from private enterprise networks, but it must be something.

It would be easy and entirely inappropriate to say instead of all this auditing that companies must simply publish all the above information. However, that represents a potential data security issue, and it also potentially gives away business-sensitive information, so I’m firmly against that idea. The only workable alternative to that however is the certified auditing process.

Reporting

Currently there is far too cavalier an approach to reporting by cloud vendors about the state of their systems. Reporting must be publicly available, fulfilling the following categories:

  1. Compliancy – companies should ensure that any statement of compliancy is up to date.
  2. Availability – companies should keep their availability percentile (e.g., “99.9% available”) publicly available in the way that many primary industries for instance publish their “days without an injury” statistics.
  3. Failures – companies must publish failure status reports/incident updates at minimum every half an hour, starting from the time of the incident and finishing after the incident is resolved. It’s important for cloud vendors to start to realise that their products may be used by anyone else in the world, so it’s not sufficient to just wake IT staff on an incident, management or other staff must be available to ensure that updates continue to be generated without requiring IT staff to stop working on resolution. I.e., round-the-clock services require round-the-clock reporting.
  4. Incident reports – all incidents that result in unavailability should have a report generated on which will be reviewed by the auditor on the next compliancy check.

In conclusion

Does this sound like a lot of work? Well, yes.

It’s all too easy for those of us in IT to take a cavalier attitude towards user data – they should know how to backup, they should understand the risks, they should … well, you get the picture. Yes, there’s a certain level of education we would like to see in end users, but think of the flip-side. They’re not IT people. They don’t necessarily think like IT people. For the most part, they’ve been trained not to think about backup and data protection because it’s not something that’s been pushed home within the operating systems they’re using. (A trend that seems to be readily reversing in Mac OS X thanks to Time Machine.)

Ultimately, cloud failures can’t be palmed off with trite statements that users should have kept local copies of their data. Cloud services are being marketed and promoted as “data available anywhere” style systems, which creates an expectation of protection and availability.

So in short, while this is potentially a lot of work to setup, it’s necessary. It should be considered to be a moral imperative. In order to actually garner trust, the current wild-west approach to Clouds must be reined in and be given certified processes that enable users (or at least trusted IT advisers of users) to confidently point at a service and say: “that’s been independently checked: it’s trustworthy“.

Anything short of this would be a scandalous statement about deniability, legal weaseling out of responsibility and a “screw you” attitude towards end-user data.


* Obviously some individuals, moving forward, may in various ways choose to offer cloud access. Due to hosting and bandwidth, it’s likely in most instances that such access would be as a virtual private cloud – a cloud that’s “out there” in internet land, but is available only to select users. As such, it would fall into the realm of private clouds, which will undoubtedly have a do whatever the hell you feel like doing approach. However, in the event of individuals rather than corporates specifically offering full public-cloud style access to data, there should be a moniker for “uncertified” individual cloud offerings – available only to individuals; never to corporates.

Posted in Backup theory, Data loss, General Technology, General thoughts | Tagged: , , , , | 1 Comment »

Is Sidekick a Cloud Failure?

Posted by Preston on 2009-10-14

Never trust anything that can think for itself if you can’t see where it keeps its brain.
J.K. Rowling, “Harry Potter and the Chamber of Secrets”

Regular readers of this blog will know that I’m a strong disbeliever in The Cloud – for some very key reasons. The reasons are distinctly different depending on whether a vendor is talking about a private cloud or a “out there in the internet” public cloud.

For private clouds, I think it’s nothing more than the emperor’s new clothes … it’s nothing more than an attempt to stick a buzzword compliant label on something already done in datacentres and charge more for it.

For public clouds, my primary concern is the that it’s a variant of trusting trust. Businesses who put their data, apps and services in the hands of cloud vendors have to trust that the data will be well managed and highly available.

(Aside: Yes, I acknowledge I use Mozy. I use it for limited and personal backups only. I use it for immediate offsite backups of a few key chunks of data that I also backup via other mechanisms. I.e., if Mozy disappears tomorrow, all I’ve lost is a bit of convenience – not my data.)

In addition to the plethora of traditional Internet based companies that are ramming cloud down our throats every spare moment, lots of “traditional” IT companies are banging on about cloud computing in the most obnoxiously hyped up ways these days. EMC falls heavily into that camp. So does IBM. So does Microsoft. Indeed, it seems impossible to find a company these days that isn’t willing to jump up and down shouting “us too, us too, look at us, we do cloud! Our clouds are ever so pretty and oh so reliable!”

Thin provision this. OpEx vs CapEx that. Data replication that. Anywhere access it all. It brings a little lump of bile to the back of my throat every time another vendor jumps up and down about cloud. It’s all a load of hype.

You want thin provisioning? That’s called virtualisation – or at a pinch, blade servers – and paravirtualisation. You want OpEx vs CapEx? Charge-out for processor cycles used has been around in the mainframe world since practically the year dot (IT wise). You want replication? That’s been around for ages too. You want internet available data? Um, yeah, that’s been around for a while as well.

You want to pay an extra 50% to 100% and have a buzzword compliant “Cloud” sticker on it? Excellent! I have a bridge I want to sell you with your leftover budget.

If that all came across as me jumping up and down on top of a soap box, you’d probably be right. Sometimes it seems that the only person of senior ranks in the IT industry with the chutzpah to tell the truth about cloud is Larry Ellison. And even Larry admits that cloud has reached such a level of hype that Oracle will be forced to stick some buzzword compliant stickers on their marketing material as a result.

So what does this have to do with Sidekick? Well, everything.

Despite what some pundits would tell you as they desperately scramble to protect the “good name” of cloud from yet another tarry lining, sidekick is cloud. Sidekick was in fact cloud at its strongest level of hubris. Data in the cloud with no ready provisioning for seamless local backup and restore. Cloud goes, data goes. It’s that simple. You couldn’t get a more buzzword compliant appearance of cloud than that.

Now I know that people will leap to the defense of cloud and say “well, it’s not the cloud fault, but the implementation fault – they didn’t understand ILP properly”, for instance. There’s a level of truth in that, but truth and trust don’t go hand in hand. You see, the end user doesn’t know that some vendors when they talk about cloud mean replicating, self repairing data services that are highly available. They just, thanks to all the buzz and hype generated by the industry hear “cloud” and think “wow, that’s secure!”

This isn’t a matter of truth, it’s a matter of trust. It’s a matter of a monumental breach of trust.

You see, the biggest, most misleading claim about cloud computing is that public clouds – clouds hosted by big corporates, are hosted properly and will provide high availability. We’re only barely across the starting line of companies offering cloud based services – companies that have supposedly been doing high availability themselves for ages – and yet we’re already seeing situations, time and time again, where cloud “vendors” are letting their users down. Sidekick is the latest and perhaps worst example. However, Google Mail has had systemic failures, Apple’s MobileMe has suffered issues as well – cloud failures are all around us, just waiting to be looked at.

The cloud system is hopelessly unbalanced in favour of the supplier. Massive companies with massive budgets with lots of very very small customers. So what if the cloud goes down for a few minutes – what’s a single person going to do about it?

Well, judging by the number of search hits I’ve had in the last couple of days due to a previous article I wrote about Sidekick, I have to imagine that the term class action lawsuit is springing to mind for a lot of those small and otherwise disenfranchised users.

Anyone who trusts the notion of a public cloud that doesn’t offer to seamlessly and automatically keep data locally available after the sidekick debacle is a fool.

With a bit of luck, one good thing may come out of the Sidekick debacle – the silver bullet/magic solution hype that has surrounded cloud for far too long may finally be pierced with some cold hard facts.

It’s time for people to wake up and smell the trust.

[Edit]

Current reports would seem to indicate that some, if not all of the Sidekick data may have been restored.

This this cause for celebration? For the end users, yes. Does it mean that Sidekick is trustworthy? Hell no – a significant data loss event taking such a lengthy period of time to recover is not, under any circumstances, a sign of trust.

Posted in Aside, Data loss, General Technology, General thoughts | Tagged: , , , , , | 4 Comments »

Larry Ellison vs The Cloud

Posted by Preston on 2009-10-04

This article came out on the 26th of September (US time), but since that was my birthday (27th, AU time), I feel justified in not noticing it straight away. I was otherwise occupied that day.

Nevertheless, CNET’s coverage of Larry Ellison on the cloud is worth a read. As periodic readers would notice, I don’t have a lot of time for the “cloud” concept; for the most part I equate it to The Emperor’s New Clothes. In fact, there’s a few distinctly different reasons why I dislike the cloud:

  • A lot of the hype resembles The Network Computer, previously espoused by Sun and chased as a dream that helped see them end up where they are today.
  • A lot of the remaining hype resembles things that we already to do. “Private cloud” is the biggest rip-off term I’ve ever heard in my life – vendors want to sell you private cloud computing? Unfortunately if you stick that “private cloud computing” label on “datacentre” all you’re going to do is add 20 – 50% for the cost for Buzzword Compliance.
  • The remaining hype seems to be about encouraging businesses to do things less safely. (As an example…) Sure, put all your business email and documents in Google. That never goes down.

The more I read about The Cloud, the more I’m convinced it’s The Next Buzzword. One thing I am certain of though is that Larry Ellison nails the cloud with the following quote:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything else that isn’t cloud computing with all these announcements.”

In other words, people who want to be sucked in to pay an extra 30% for things they can already do within their private infrastructure, or want to push more and more of their infrastructure onto third parties whom they have little to no control over deserve all they get.

Posted in Aside | Tagged: , , | Comments Off

Mozying along

Posted by Preston on 2009-06-14

For my own personal data, I use a variety of backup and archival methods depending on the data I wish to protect. Frequent visitors to this blog will know I’m a particular fan of Time Machine – at least for my Mac OS X system drive backups. For other data drives, particularly multimedia data, I tend to stick to DVD due to relative cost vs importance of recovering quickly. I.e., burning to DVD is cheaper than maintaining backup hard drives, and I don’t need to recover such data quickly enough to justify not doing the disk swapping associated with DVD-recovery.

Then there’s the critical data – the data whose backups I want offsite for maximum protection. Source code, manuscripts, financial data, etc.

For that, I’ve been using Mozy for the last 6 months or so, and I have to say I’m pretty impressed with it. For the most part, I’m not a fan of cloud based backups – this however is a geographic decision. Compared to other countries, such as the United States, Australian ISPs charge an exorbitant amount of money for bandwidth. Admittedly at the higher end of the price scale, my ISP charges me $160 per month for a fixed IP address with 60GB/month transfer. Thus, doing large scale backup or recovery “to/from the cloud” for me, personally, is financially insane.

For key files and data though, it’s perfect.

From the perspective of getting your backup done, Mozy is:

  • Set and forget/fully automated
  • Easily controlled
  • Permits scheduled and user-initiated backups

Now, Mozy is an inclusive rather than exclusive backup program – meaning you have to tell it what you want backed up, rather than what you don’t want backed up. In enterprise software, this would be utterly unacceptable; for something that uses up your download/upload limits though, this is entirely appropriate. It makes you think about what you really need to protect via immediate offsite backups, and what you can protect other ways.

Recoveries – the most important factor – can be facilitated in one of three ways:

  • Client (i.e., local machine) user initiated GUI;
  • Account (web-login) initiated recovery, with notification when an archive of your requested files are ready to download;
  • Mail-out of media for larger recoveries (separate charge).

The obvious advantage of this is that if your systems are completely wiped out, you don’t even need to install Mozy on any temporary machine to restore your data – you can kick it off from your web login to the site. You could even, if you want to, use Mozy online to retrieve files backed up in one location simply because you need to access them elsewhere. While it’s not really designed as a sync-to-cloud service, it can be useful in a pinch.

Files are compressed, then encrypted during the backup process, making for a reasonably secure backup process that attempts to use as little bandwidth as possible.

I have to say, the level of support is pretty good, too. While still on the trial account (limited to 2GB of data), I encountered a problem where I could restore data via the web service, but not through the local GUI. The case was held open until a solution was found, even though that took about a month, with quite a few emails back and forth. The staff I dealt with were all pretty knowledgeable – something that’s a nice plus.

Is it for everyone? Probably not – I’d never say that any backup product, regardless of whether it’s enterprise, workgroup or personal, is out of the box suitable for every single person or company’s needs. However, it’s certainly solid, and thus if you’re looking for a cloud based backup for your personal data, I’d recommend you give Mozy a go.

Posted in Aside | Tagged: , , | 2 Comments »

 
Follow

Get every new post delivered to your Inbox.