Tag Archives: virtual machines

Primary Server Virtualization Hypervisors

Leave a reply

Server virtualization is perhaps not as pervasive as many believe, and customers are not as locked into any particular hypervisor as many companies peddling this magic software layer might hope.

This info comes from the latest V-Index survey from Veeam Software, a maker of add-on management tools for VMware’s ESXi hypervisor, which is conducted on a quarterly basis in the US, UK, France, and Germany.

The survey only talks to fairly large companies – those with 1,000 or more employees. About a third of the companies surveyed had more than 3,000 employees. Veeam survey not merely its own customer base, but rather server shops at large, which also have other hypervisors.

In the September V-Index, 86.5 per cent of the 578 organizations that participated in the poll had some sort of server virtualization in their data centers. And across all enterprises, including those who did not have server virtualization at all, an average of 38.9 per cent of servers were virtualized, and they had an average of 701 servers in their data centers.

From the looks of the data, only x86 servers and hypervisors were part of the survey. This is a serious shortcoming, considering how much Unix and proprietary gear is still out there among large enterprises.

Just for fun, the V-Index survey asks companies how many physical servers and virtual machines they have, and then asks separately what consolidation ratio they are attaining on their machines. With the former, you can calculate the actual consolidation ratio, and the latter is – at least according to Veeam – the perceived consolidation ratio, which usually turns out to be higher than the actual consolidation ratio in the V-Index survey.

Across the four geographic regions and all the companies surveyed, the perceived consolidation ratio was 9.8 virtual machines per physical machine. But if you do the math and calculate the actual penetration ration, companies are actually squeezing only 5.1 virtual machines per host on average.

It could just be that some IT managers garbled their responses and have screwed up the data, but perhaps Veeam is on to something.

The penetration of various hypervisors on x86-based servers depends on whether virtualization is being used to run virtual desktop infrastructure (VDI) or more traditional server workloads.

On traditional server stuff, VMware still rules, with 67.6 per cent of those companies that have hypervisors saying that one or another flavor of ESX Server or ESXi is their primary hypervisor, with only 14.4 per cent going for XenServer from Citrix Systems, and 16.4 per cent opting for Hyper-V from Microsoft. Red Hat’s KVM is tossed into the Others category, which accounted for a meager 1.6 per cent.

When you shift to talk about hypervisors running on servers to specifically stream VDI desktops, then XenServer is cited by 24.9 per cent of shops as their primary hypervisor, Hyper-V by 20.3 per cent, and ESX by 54.2 per cent.

Now here’s the interesting bit: 38 per cent of companies using virtualization for traditional workloads say they are planning to change their hypervisor during the next year.

The cost of the current hypervisor platform was cited as the main reason for the jump by 58.9 per cent of the jumpers, with nearly half saying that they didn’t like their current vendor’s licensing model, and they did like the features offered with alternative suppliers or that the alternatives had matured enough that they could contemplate making a shift. While VMware was not mentioned specifically by name as the one that companies were thinking about ditching, KVM, Hyper-V, and XenServer have been in catch-up mode for a while, and have largely caught up.

But of course, VMware is focused on cloud fabrics and infrastructure and platform clouds, areas in which Citrix, Microsoft, and Red Hat are playing catch-up.

Author: Timothy Prickett Morgan
Source

Virtual Machines Can Boost Cloud Security

Leave a reply

While conventional wisdom says virtualized environments and public clouds create massive security headaches, the godfather of Xen, Simon Crosby, says virtualization actually holds a key to better security.

Isolation — the ability to restrict what computing goes on in a given context — is a fundamental characteristic of virtualization that can be exploited to improve trustworthiness of processes on a physical system even if other processes have been compromised, says Crosby, a creator of the open source hypervisor and a founder of startup Bromium, which is looking to use Xen features to boost security.

If the virtual machine manager (hypervisor) can help isolate functions carried out on a system and thereby reduce the risk that an attack successful against one function can spread, that improves the trustworthiness of those other processes, Crosby says in an interview with Network World.

“I think that when we look back in five years we will actually figure out that the core value of hardware virtualization is security,” Crosby says. “Actually it’s better trust or better isolation, and not all of the grandiose cases we’ve come up with for virtualization today. So that even in the cloud the primary use case for virtualization will, in five years or so, be security and security through isolation.”

Crosby was reluctant to detail how such a system would work because it is at the core of what Bromium is working on, and it doesn’t plan to reveal that until next year. But earlier this year at the Xen Developers Conference, Bromium co-founder and chairman of Xen.org Ian Pratt offered some insight.

Introspection, a feature of Xen that enables virtual machines to be inspected by another trusted VM, could help discover compromises within VMs, he says. Xen can isolate driver domains, which enhances security, Pratt says.

Crosby says this isolation is similar to what XenClient does today, enabling for instance a corporate desktop and a personal desktop on the same machine, keeping their activities securely separate. A person’s possibly risky personal behavior with the machine won’t compromise the corporate functions.

“The key point I’m trying to make is that virtualization technology in general through isolation provides you a different context in which to execute code of different trust levels,” he says.

Isolating processes more finely can boost security in public cloud environments, he says. “I think one will be to create a highly secure cloud system which can be used to deliver multilevel secure systems,” he says.

As an example he points to Intel and McAfee’s DeepSAFE technology, software that sits between the CPU and the operating system on a device, much the way a bare-metal (Type 1) hypervisor does. Its direct link to the hardware gives it a trusted position and a view into events on the machine beyond what the operating system sees, according to McAfee.

“Intel recently announced its Deep Safe technology with McAfee, a Type 1 hypervisor early load, which has a sole purpose to secure the runtime,” Crosby says. “So you start to see the specific use of virtualization security on clients. I think it will eventually be the same on server systems, too. Obviously you’ve got to get the server hypervisor to learn new things.”

He seems to suggest that linking hypervisors to trusted platform modules (TPM) that are integrated within commodity processors could yield security benefits. TMP’s features include storage of encryption keys as well as hardware-assisted encryption, which makes it possible to encrypt all data a business entrusts to a public cloud.

“You can encrypt it at wire speed, and there is no excuse ever for the cloud provider to manage the key,” Crosby says. “So what should happen is when you run an application in the cloud you should provide it with the key and only in the context of the running application as the data comes off some storage service is it decrypted and goes out re-encrypted on the fly. That way if somebody compromises the cloud provider’s interface or if someone walks into the cloud provider and walks off with a hard disk, then you are OK.”

By better securing public clouds, businesses can take full advantage of the reduced costs they offer. If trust in public clouds can be established, the need for private clouds and hybrid clouds and the capital costs they imply will go away. Cloud computing will become an operational expense.

Standing in the way is fear that if data is compromised while in the cloud the event will be career-ending for those who authorize it. Also blocking the way are the demands of regulatory auditors that want businesses to be able to physically locate data. “[Y]ou can’t really state anything to a regulator in terms of the data if you can’t find the hard disk,” he says. “So how is the guy supposed to allow the data out of the data center?”

It could be shown instead that data is secure within a public cloud, meeting regulatory concerns without having to physically locate the disk containing it, Crosby says. “They could do it in a heartbeat,” he says, “if we could actually secure the regulatory frameworks for it and if we could just get the vendors to do the obvious things in terms of adopting security technologies.”

Crosby says Bromium already has a functioning version of its product and will announce it within months. “I think we’re on early in the new year,” he says. “We’re in the stage where we’re sending systems to potential early customers for them to kick around and give us feedback on.”

Author: Tim Greene
Source

Essential Cloud Security Tips

Leave a reply

More and more enterprise IT shops – as they get comfortable with virtualization practices in their own private clouds – are considering a jump to the public cloud. But before making that leap, consider these pieces of advice from those that have already jumped.

1. Make sure your provider has VM-specific security

“Hypervisors were never really designed to be running in a public environment,” says Beth Cohen, senior cloud architect for Cloud Technology Partners, a consultancy.

That fact doesn’t necessarily stop them from being secure, Cohen says. But it does require a more elastic security strategy that can deal with the issues of virtual machines (VM) moving around the underlying infrastructure, interacting with cloud applications, and supporting multiple tenants.

Customers going into the public cloud need to understand that perimeter security – while it still needs to be in place in any virtual data center environment – isn’t going to help with the internal security of virtual machines, says Michael Berman, CTO of Catbird Networks, a vendor that focuses on virtual machine security.

Both Cohen and Berman have pointed potential cloud consumers to VMware’s vShield, which is both a product that offers integrated security services to the underlying VMware hypervisor and a set of APIs that allow third-party security vendors to build security services on top VMware’s platform.

VMware’s Dean Coza, director of product management for security products, points out that a dozen security vendors announced products that tap into vShield to deliver virtual machine security products at last month’s VMworld conference.

But VMware is only one of the virtualization software vendors out there and the company has said very little about how these tools will help lock down other popular VMs from Microsoft and Citrix.

Experts describe the top cloud security concern

2. Figure out a way to lockdown endpoints

Predictions for mobile device sales are staggering. Forrester says tablet sales will hit 208 million by 2014. Gartner contends that 1.1 billion smartphones will be sold in 2015. Enterprises moving to the cloud must brace themselves for many more of these consumer-type devices trying to get to corporate data and applications in the cloud.

“The BYOD [bring your own device] to work issue is huge because now you have devices you don’t own trying to access your data over networks that you don’t control,” says Tom Clare, senior director of product marketing at Websense, a content security vendor.

Jacob Braun, president and COO of Waka Digital Media, a managed security service provider and consultancy in western Massachusetts, says one way to help limit the number of users wanting to run personal devices on the corporate network is to set up policy roadblocks.

These include limiting what they can do on the machine while attached to the network, requiring them to pay for mobile malware protections and confiscating the device if there is a security issue.

But there are legitimate circumstances for giving upper management controlled access through the cloud. Braun’s company uses products such as Kaseya’s mobile device management module, which is part of the vendors overall IT System Management platform, to gain that kind of control.

Joe Coyle, CTO for Capgemini Consulting, contends that in order to effectively support mobile devices you must make sure your provider’s ID management scheme jibes with your internal one.

“They are coming in from everywhere, so if you lock them into their set roles through consistent ID management, then you have a decent shot at making sure they are not getting to data they – or their machines — don’t have rights to,” Coyle says.

3. Push your cloud provider to put security in your SLA

Standard cloud service provider service-level agreements (SLA) barely touch on security, so it’s a buyer beware kind of situation.

“Make sure your provider is willing to move well beyond simple monitoring of your service usage,” says Torsten George, vice president, worldwide marketing at Agiliance, a security vendor that offers governance, risk and compliance services.

Customers have a right to push for insight into a provider’s compliance posture, its overall security posture and how it stacks up against benchmarks for best security practices.

“Absolutely push for a custom security SLA,” says Jeremy Crawford, CTO of MLSListings, a Silicon Valley-based regional Multiple Listing Service (MLS) that supports over 5,000 brokerages and 18,000 subscribers. Crawford has negotiated security focused SLAs with three public cloud providers. He takes a look at the providers’ standard security agreement, but only consents to about 50% of the language in most cases. He pushes for more favorable language relating to visibility into the providers’ systems and sets up specific terms about shared liability should there be a breach.

“You’ve got to have teeth in the contract or you’ll have no legs to stand on if there is a data leak,” Crawford says.

4. Act quickly

Richard Rees, manager of EMC’s virtual cloud consulting services, says enterprises should move quickly on an overall strategic plan for pushing their business process out to the public cloud in a controlled fashion. By doing so, you avoid rogue pockets of public cloud within the companies.

“I am always surprised by how quickly departmental pilot projects morph into business critical applications,” Rees says. Due to the relatively low cost of entry into most public cloud applications, the likelihood that they are being used without IT’s knowledge is pretty high.

Author: Christine Burns
Source

How Cloud Computing Will Change IT

3 Replies

If you came here for the article with the title, “How Cloud Computing Will Change IT”, unfortunately, it has been removed at the request of the publisher of the website from which it was obtained.

Asking me to remove it was within their rights, but I believe it was a shortsighted decision based on old media ideas about the copyright “protection” of assets and the imagined potential loss of ad revenue.

I am not competing with the publisher of “How Cloud Computing Will Change IT”. The articles here are gathered for the benefit of my clients and prospects who are trying to make a decision about cloud computing in their business. There are no competing ads here.

By asking me to remove “How Cloud Computing Will Change IT”, the publisher lessened the opportunity for the author to have his ideas more widely read and the publishing website lost the long term SEO benefit of the link from this page that was here to acknowledge the source of “How Cloud Computing Will Change IT”.

I invite you to check out these links to articles with information similar to “How Cloud Computing Will Change IT”

Virtualization Is Shaking Up Security Practices

1 Reply

The move to almost fully virtualized computing environments is driving a fresh approach to security [1] in the enterprise, according to information technology security managers applying controls for VMware and Microsoft [2] Hyper-V.

“We’re very close to being 100 percent virtualized,” says Gurusimran Khalsa, systems group supervisor in the state of New Mexico’s human services department. That organization’s servers are based on VMware’s vSphere, and a virtual desktop project is being started, too. The agency’s 170 server [3]-based VMs (virtual machines) run in its local data center [4], with a range of Web applications [5], multi-tiered IT systems, file servers, domain servers, SharePoint, and SQL servers.

Because of a security breach that occurred a few years ago — the loss of sensitive data was considered so serious that several IT staff were laid off — the agency in Santa Fe has sought to keep a tight rein, requiring two-factor authentication to get into servers and introducing “air gaps” to protect some sensitive data. But at the time, while the benefits of virtualization, such as server consolidation, were being introduced, it wasn’t fully understood how this transformation would impact security, says Khalsa.

Increasingly, there was concern among security and compliance officers that if VMware’s vCenter management console were compromised, the game would be over. “It’s the central point of access to vCenter that manages our production environment,” says Khalsa.

To beef up controls there, the agency decided to install the HyTrust virtual appliance, which intercepts administrative requests to the virtual infrastructure to determine which requests are in line with the organization’s policies. “We have a couple of vSphere admins at a higher level of access,” says Khalsa. HyTrust can be set up to ensure only certain workloads are permitted to boot up in specific hosts or clusters, and it can label virtual objects and apply policies to them.

The agency also began using the Juniper vGW Series firewall [8], which is based on its acquisition of startup Altor Networks [9] last December. “The firewall is positioned between the VM and vSwitch,” says Khalsa. “It’s set up similarly to a regular firewall, with least privilege.”

While the agency still uses VLANS to cordon off some servers, the Juniper virtual gateway firewall provides far more granular controls, and has the ability to do introspection on the VMs to see what’s installed and set rules based on that, says Khalsa.

Other agencies and businesses say they also needed to look at new approaches for security in their virtualized environments.

“We’re about 80 percent virtualized,” says Rick Olejnik, chief information security officer at Brookfield, Wis.-based law firm Rausch, Sturm, Israel, Enerson & Hornik (RSIEH), which specializes in debt collection and has offices in 13 states.

One of the main concerns the law firm had was securing credit-card data in its VMware ESX server environment, even though the credit card numbers are defunct. About a year or so ago the banks and financial institutions which are RSIEH’s clientele made it clear that although these are no longer active card numbers, they still need to be protected according to the Payment Card Industry rules.

That meant encrypting them. Ojenik said that led to the decision about eight months ago to deploy the Vormetric appliance for encryption key management along with encryption software on ESX servers to encrypt PCI data at rest, while the agent software works to un-encrypt the data to allow the application called Collection Master to access and process information.

“It’s happening at the kernel level and there have been no performance issues at all,” says Olejnik. But besides adding encryption to the virtualized computing environment, another security control at the law firm depends on using the Palo Alto Networks application-layer firewall to partition off VMs. “This allows us to do the segmentation required on our internal network,” says Olejnik.

At Wellington College just outside London, one of the main concerns had been finding a way to bring in better threat detection, rogue-device identification, access control for guests and visibility of network usage into a VMware-based ESX virtualized environment.

To that end, the college has started using ForeScout Technologies CounterACT Network Access Control Virtual Appliance, out since mid-June, to monitor the college’s VMware-based hosts. It runs as a VMware guest VM, and works in tandem with the ForeScout physical appliance. Tony Whelton, director of IT services and development at Wellington College, says the ForeScout Network virtual appliance is checking for security vulnerabilities and “doing real-time scanning across the LAN for any kind of rogue traffic.”

The California state Department of Economic Development, which administers the state’s unemployment insurance, disability and workforce services, is shifting into a Microsoft Hyper-V-based virtualized environment for servers while also becoming far more centralized than it has been in the past in terms of management.

Now past the halfway mark into a fully virtualized environment, the agency has sought to improve its collection of logging information through use of the LogLogic products, mainly for security purposes and database monitoring, says John Cleveland, chief of the security and compliance section. “You have to be able to show who accessed this table at this time, for example,” he says.

The shift to server virtualization is bringing heightened concerns about the security of the virtual host, and there are challenges in monitoring what happens from VM to VM, says Cleveland. While the agency does not yet use cloud-based services, he points out the move to virtualization makes it more possible that the agency could make use of hosted customized applications in the cloud. He says he sees a growing need for products that act as a central repository related to both security and content in a virtualized environment for compliance purposes. “I see a need to have these merged,” he says.

Source

Cloud Computing Services: Feds Get On The Bandwagon

1 Reply

After a delay due to a complicated vendor-authorization process, the General Services Administration (GSA) is finally offering cloud computing services via its Apps.gov website.

Federal agencies now can order from a menu of three Infrastructure as a Service (IaaS) offerings–cloud storage, virtual machines and Web hosting–from service providers that have received GSA authorities to operate (ATOs) to offer them.

It was the process of acquiring ATOs that delayed the GSA’s plans to offer IaaS on Apps.gov. But last week, GSA Portfolio Management Division Director Bill Lewis said the first services would be available in July, and, true to his word, they are.

Apps.gov on Friday was updated to provide detailed information on each service and the list of vendors providing them, in addition to stepping agencies through the ordering process. That process, however, is not exactly as easy as dragging and dropping a service into an online shopping basket, if instructions on the site are any indication.

Each service provider is offering its own cloud services and bundled pricing, and agencies can peruse the packages on offer before making a decision.

Services are billed by the month–as opposed to by the compute hour, as commercial cloud provider Amazon Web Services typically does it–and the process includes agencies getting quotes for the type of service they are looking for through the GSA eBuy system before making a purchase.

Those quotes will then be awarded to one of the ATO contractors for the service, which is responsible for contacting the agency to help staff configure and manage the service from their own website.

To be fair, Lewis said last week that the GSA is working to reduce transaction time and the complexity of purchasing cloud solutions, an endeavor that may involve the development of online tools for agencies that allow for on-demand self-service or the ability to increase or decrease the size of their purchase.

Even with the complexity, the GSA is now for the first time allowing agencies to buy on-demand computing power through service providers that already have the federal stamp of approval, which should make government adoption of cloud computing easier and more efficient.

Agencies currently can choose from five service providers offering cloud storage: Apptis, Computer Literacy World, Eyak Technology, Insight Public Sector, and Computer Technologies Consultant.

The virtual machine service provides even more choice, with 10 vendors on the list: Autonomic Resources, Carahsoft Technology, CGI Federal, Computer Literacy World, AT&T, Eyak Technology, General Dynamics, Verizon Federal, Computer Technologies Consultant, and Savvis Federal Systems.

Finally, five service providers are offering Web hosting via Apps.gov: CGI Federal, Computer Literacy World, Eyak Technology, Computer Technologies Consultant, and Savvis Federal Systems.

Source

Cloud Services Beg for Nimbler Management

Leave a reply

Traditional systems management has been obscured in large part by the advent of cloud, where, after all, the promise is cheap, automated infrastructure you don’t have to manage, just use. But as the public cloud paradigm has proven out, more and more businesses, both small and large, want to replicate that success in their own operations.

For some small businesses, the case for cloud is pretty obvious. Chuck Spalding, a hydrogeologist with McDonald Morrissey Associates, Inc., said his firm needed to run complex calculations on data and turn it into useful models of groundwater resources. They ran simulations on their workstations, but depending on the size of the project, it could take days to crank out the end result. Spalding said they felt the pinch, and his competitors had solved the problem traditionally.

“There’s a guy who put in 94 servers in his office to do this,” he said.

Spalding had no interest in following that route; aside from the cost of buying equipment, he’d end up sinking valuable time into networking, operating and managing all those systems. Cloud computing seemed like an ideal answer.

“I’d read about GoGrid in some of our trade magazines as a way to approach this,” he said. Experimenting with GoGrid made it clear that while Spalding was trading out onsite IT chores for easy access to virtual machines, managing it by hand was still clunky.

“Say I start 50 machines,” he said. “I still have to go to each one, put in my password, upload the data and set them to run.”

Spalding is experimenting with a new breed of management tools expressly designed around the Infrastructure as a Service paradigm; he uses enStratus to automate the jobs he pushes out to the cloud. And because he has essentially unlimited capacity at his fingertips, rush jobs are now possible.

Eventually, Spalding would like to break out the cost of data processing on client invoices as a courtesy. It’s a functionality that enStratus is working on; like most cloud management tools, it started out focusing on the ability to automate basic commands to multiple cloud services from a single interface.

For those in the online world, services like RightScale and Cloudkick (now owned by Rackspace) have had time to develop those sophisticated features, whereas software tools like EnStratus are developing alongside cloud interest from the enterprise perspective.

The next level of cloud management

Some services come at it from the other direction. Eric Gauthier, an IT administrator for Washington state credit union BECU (originally the Boeing Employees Credit Union), has got a full plate; financial systems, business systems, office systems and outside services, like the vendors BECU uses for secure online banking for its customers. All of that needs managing, and since the bank’s IT infrastructure is about as virtualized as it gets, he’s looking at cloud computing techniques that are on the next level. Mostly, he’d like to get rid of the manual chores or managing demand.

“The middle of the month and the end of month can get very heavy for us in terms of usage,” he said.

Gauthier said it’s not a question of immediate need for something new, like Chuck Spalding’s situation; it’s about squeezing more and more automation into existing infrastructure. BECU uses workload automation tools from UC4 to manage some of its important financial systems, and Gauthier said that a new release (Automation Platform v9) from the vendor is a step in that direction.

The new software includes job scheduling, policy-based automation, analytics, support to run commands from VMware’s vCenter for his virtual machines, and other features that bump it up past ground-level systems management. More streamlined operations mean less time spent hovering over a console around the middle of every month and more time innovating.

“This is what will eventually get us to private cloud,” he said.

As cloud grows, management concerns heighten

“From a ‘how do I acquire and deploy systems’ perspective, management has become a rapidly accelerating concern,” said Dennis Drogseth, analyst at Enterprise Management Associates, “especially in terms of the those involved in the role of IT and priority changes in how services are delivered.”

Drogseth recently completed new research that backs up this trend. Where the rubber meets the road for cloud in the enterprise is exactly at the level cloud computing is supposed to improve: actual day-to-day operations. EMA surveyed a swath of IT decision-makers and found that not only was cloud top of mind, it was complex and changing operational norms.

Almost 80% of the respondents said they were in the process of building hybrid models for IT services that would mix and match private infrastructure with outside services and public clouds. Almost half said that they expected cloud to bring significant changes to process flow, along with how they looked at and adopted systems management tools.

Drogseth said that this is par for the course in technology adoption. Many business users have waited out or been oblivious to the hype around cloud, but now we’re beginning to see technologies appear that are relevant to the real world and not just the online marketplace.

“Cloud seems to be accelerating the need for intelligent, top-down service management both politically and technologically, even if much of the initial hype had a sixties flavor of ‘tune in, drop out and put it in the cloud’ behind it,” Drogseth wrote in his report “Operationalizing cloud: The move towards a cross-domain service management strategy.”

Drogseth anticipates that cloud computing is going to be a robust part of the systems management marketplace in two to five years, with vendors stratifying out small and medium-sized business users with one-size fits-all point services and larger vendors willing to engage in cross platform, cross-cloud customization. Early efforts are certainly underway: Microsoft has pitched its new System Center Operations Manager (SCOM) as a central, single tool for everything Microsoft sells into the data center, including Hyper-V, Azure deployments and regular server management.

Meanwhile, IBM has expanded its venerable Tivoli management platform to cover VMware and other platforms and HP claims that it will deliver OpenView/Opsware-based cloud platforms. Of course, none of that is fully baked yet, with all the major vendors pointing to the end of the year and beyond for fulfillment and startups and smaller cloud management suites busily maturing. The change will be gradual but ultimately undeniable.

Source

Next Level of Virtualization Unlocks Server OS, Applications

Leave a reply

By now, most IT professionals are familiar with server and application virtualization. But Microsoft says it’s time to get ready for the next layer: server application virtualization.

This new capability is now available in beta as part of System Center Virtual Machine Manager, and will hit general availability later this year as part of the larger System Center 2012 release, Microsoft said this week. Microsoft isn’t the first vendor to virtualize server applications, but it has done so before its rival VMware.

Just as server virtualization decouples the operating system from the server, application virtualization ratchets it up a layer and decouples the application from the operating system. This allows more flexibility in migrating, updating and recovering pieces of software.

But application virtualization has traditionally been applied only to desktop software. Server application virtualization, as you might expect, virtualizes the server application, decoupling the application configuration and state from the underlying OS. So instead of creating a virtual copy of Internet Explorer 6, for example, you’d create a virtual copy of Microsoft Exchange Server.

Why do this? Microsoft’s David Greschler, director of virtualization strategy, says that server-side applications today are tightly coupled to virtual machines, making it difficult to move applications from one VM to another, or to update the OS without affecting the application, and vice versa. If server apps are virtualized, you can update the operating system without having to worry about potentially reinstalling the application.

If the application is virtualized, IT shops can also create a few “golden images,” or generic instances of an operating system that can be applied to multiple types of applications.

“Instead of saying ‘that’s my Exchange VM’, you can say ‘I’m just going to take a generic VM with an operating system and I can plop the application into it in real time’,” Greschler says.

Many applications share the same type of OS image, and can also be more easily moved from the customer’s data center to the Windows Azure cloud service. On large scales, Microsoft officials claimed the approach can reduce management needs from thousands of specialized operating system instances to just a few generic ones that can be replicated thousands of times. On Patch Tuesday, this technology will also let IT treat the operating system and application separately, making it easier to apply security updates, Microsoft said.

Microsoft’s over-arching goal is to put more focus on the application, rather than the virtual machine, which Greschler calls the “tablecloth,” while the applications are the meal on top of it. Server application virtualization can even technically be used on physical servers that don’t have a hypervisor installed, but it isn’t likely many customers would do so.

Greschler is the co-founder of Softricity, which was acquired by Microsoft in 2006. Softricity had a desktop application virtualization technology ready to go at the time of the merger, and was working on server-side app virtualization as a side project.

Microsoft’s “top priority was to make sure that App-V for desktop came out,” Greschler says. The server app tool “was just in the labs. It was just a thought, ‘well it would be cool.’”

Now it’s a reality, but in fact Microsoft isn’t the first to get here. The vendor AppZero boasts of its own server-side application virtualizaiton technology, which can move apps across physical and virtual servers and across VMware, Xen and Hyper-V deployments.

But Microsoft is faster to market than its chief virtualization rival, VMware, which virtualizes servers and desktop apps but not server apps.

“VMware currently doesn’t support server application virtualization,” VMware confirmed.

With System Center 2012, Microsoft is expanding its ability to manage multiple hypervisors. System Center already supported Hyper-V and VMware, and the new version will, in addition, be able to manage Citrix’s XenServer.

But the tech-agnosticism doesn’t extend to the server application virtualization. So far, this just works with Windows Server, and not Linux.

“That’s a whole different architecture,” Greschler says of Linux. “The application virtualization layer is tied very much into the Windows layer, the registry, the files, all these components that Windows needs to have an app installed.”

Support for Linux is “not currently on any road map,” he says.

Source

No Need For a Cloud of Confusion

2 Replies

It may sound like a PR ploy, but “cloud computing” truly is a different way of using technology resources, and more firms are adopting it.

If your head hasn’t been lost up in the cirrus or cumulus, you’ve probably heard of cloud computing over the last few years.

“The cloud” has figured prominently in President Obama’s technology initiatives, in the business plans of familiar tech giants such as Google, Amazon and Microsoft, and even in a New Yorker cartoon last month — depicting a parachutist struggling to use a laptop.

It’s also been the occasional butt of skeptics, such as Oracle co-founder Larry Ellison.

“It’s databases and operating systems and memory and microprocessors and the Internet. And all of a sudden, it’s none of that — it’s ‘the cloud,’” Ellison said — in a speech you can still pull down from the YouTube section of the cloud.

Oracle now offers “Premier Cloud Services,” but Ellison had a point. For a decade, Oracle had rented its enterprise-resource-management system to corporate customers who didn’t want to invest in their own hardware, software and IT personnel — a key advantage of using the cloud. So had other firms that pioneered “software as a service,” one of the buzz phrases of the cloud era.

Not a ploy

Still, that doesn’t mean cloud computing is a nebulous idea or marketing ploy. Advocates such as Patrick Harr, Hewlett-Packard’s vice president of global cloud strategy, argue that recent technological and business developments make “the cloud” a truly different way of using computer resources.

“The cloud is the great equalizer,” Harr said in an interview. It offers companies and consumers access to user-friendly services that might otherwise require large expenses for software, hardware and training. And that access can often be available from anywhere on the Internet.

For businesses, it also offers access to resources that otherwise would be unthinkable.

Harr said DreamWorks Studios uses HP’s cloud services for rendering films — the hugely data-intensive process that brings together all of the digital elements of a full-scale animation. Even with powerful computers, rendering a segment of a movie can take days, he said.

“If I’m generating a new movie, I only do this once or twice a year,” Harr said. “As a company, I don’t want to go out and buy thousands of servers for that.” Thanks to HP’s cloud services, DreamWorks doesn’t have to.

If you are still confused, here are answers to some basic questions.

What is cloud computing?

Ellison isn’t wrong: It’s databases, operating systems, memory, microprocessors and the Internet, all rolled into a package. But with the cloud, the whole really is greater than the sum of the parts.

Harr said two key advances distinguish cloud computing from earlier versions of remote hardware and software rental and mark “a fundamental technological shift.”

One is “multi-tenancy,” in which many businesses can take simultaneous advantage of a huge pool of powerful resources such as HP’s tens of thousands of servers. A small business might just require a tiny portion of resources — perhaps just a section of a single server that hosts a dozen “virtual machines,” each emulating a stand-alone computer. A large business might use hundreds of servers.

The other key is automation of crucial tasks, such as responding to a sudden need for extra resources. With in-house technology, a retailer might be overwhelmed by a holiday surge in demand, or a media company by a video that goes viral and generates millions of hits. With the cloud, extra resources can be deployed rapidly and seamlessly.

Who offers cloud services?

The list is long and growing. It’s headed by giants such as Google, HP and Amazon, but includes niche providers as well — sometimes via partnerships between software and hardware companies.

Microsoft CEO Steve Ballmer was in Malvern, Pa., last week to launch a new Microsoft Technology Center, a 17,500-square-foot facility that includes a server farm and is part of the software giant’s cloud-centric strategy.

“When you use a cloud-based service, there’s nothing you have to install or deploy,” said Karen Del Vescovo, Microsoft’s district general manager. “This provides you access to the information and the backup from anywhere.”

Microsoft says 70 percent of its software developers are working on cloud-related products and services — a figure that will rise to 90 percent within a year.

Who uses the cloud?

Consumers who use Gmail or other Web-based mail services are essentially cloud users. So are interactive gamers or people who use photo services like SnapFish or Flickr, which provide anywhere, anytime access to your digital pictures, even at Grandma’s.

For now, old habits and computers still bundled with e-mail and document software may keep consumers using traditional programs. But small businesses increasingly see value in the cloud as a way to control information-technology expenses — and headaches.

Swedesboro, N.J.-based L&L Kiln Manufacturing Inc. and a sister company use Intuit’s QuickBase for database services, Batchbook for contact management, and Google’s Gmail and Google Docs for e-mail and document management, all at an annual cost of about $3,600.

L&L President Stephen Lewicki said the services have improved workflow and collaboration. But he also says much of the benefit is indirect and intangible — including a reduction in technology hassles at businesses where few employees have high-tech skills.

“There are certain things that I can do in the cloud that are much more efficient,” Lewicki said. “And it never breaks, so I never have to worry about it.”

Source

Spotting Virtual Intruders

Leave a reply

Researchers propose using hacker tactics to secure cloud computing systems.

Handing sensitive data over to a cloud computing provider makes many companies skittish. But new software, called HomeAlone, could help them come to terms with using such services.

Cloud computing can save companies money by providing inexpensive, flexible storage and processing resources that are managed for them. All the same, many companies remain hesitant to turn their data over to a third party.

Cloud computing platforms provide a single point of entry for large amounts of company data, and providers often host customers’ data in virtual environments that span many different machines. Researchers say this architecture could be exploited to gain access to private data.

Some organizations, such as NASA, demand that cloud providers store their data on machines that no one else uses. But even that is not enough of a guarantee for some. Until now, it’s been almost impossible to verify that sensitive data is indeed isolated.

HomeAlone, which will be presented in May at the IEEE Symposium on Security and Privacy, takes a first step toward assuring companies that their data is secure. The software lets companies that ask for their data to be stored in physical isolation to verify that it is, in fact, alone on a server.

Michael Reiter, a professor of computer science at the University of North Carolina who was involved with the work, says he and his collaborators chose to support the most extreme case—where data and processing are so sensitive they must be separated from everyone else’s.

Cloud computing companies use virtual machines so that software can run on any piece of hardware. Multiple virtual machines can run on the same server, but it’s hard for a customer to know when this is occurring. So cloud customers have been unable to tell whether their data is at risk or may have been compromised.

“People now trust the cloud provider to configure the computing environment correctly based on the service-level agreement, but there’s no way to verify that,” says Alina Oprea, a research scientist at RSA Laboratories who was involved with the work. HomeAlone can confirm that data is alone on a server without requiring cooperation from the cloud provider. It detects the presence of any unexpected virtual machines on the server, whether those are attackers trying to steal data or simply virtual machines that have ended up there by mistake.

HomeAlone borrows techniques that are more commonly used by attackers, detecting the presence of other virtual machines on a server via what are known as “side channels.” Side channels are the byproducts of running software: power usage data or the pattern in which software accesses temporary storage.

HomeAlone watches for unexpected use of a part of the memory called the cache—a sign that an unauthorized virtual machine is present. The software coordinates the activity of legitimate virtual machines so that a randomly selected part of the cache goes quiet; if there’s another virtual machine present, it gives itself away by continuing to use that portion of the cache.

HomeAlone can detect unexpected virtual machines at a rate of 80 percent or better, with about 1 percent false positives. But aggressively malicious virtual machines are even more likely to be detected because they will be more actively using the cache.

Bryan Ford, an assistant professor at Yale University who studies decentralized and distributed computer systems, has previously shown that attackers can use side channels to get useful information about the virtual machines running on a shared server—potentially even passwords.

Ford says the amount of information that can be gained from side channels illustrates why companies are right to be nervous about cloud computing. Cloud providers often don’t know what the virtual machines they host are doing, he says, and they don’t want to assume responsibility. Using side channels as a defensive measure is a promising approach, he says, but it could lead to an “arms race that can’t be won.” In other words, attackers might get better at hiding or find new ways to use the side channels against the defenders.

HomeAlone can help only those cloud computing customers who require that their data be physically isolated. “This is not a solution to cloud security en masse,” Reiter says. A lot of work remains to be done to provide similar assurances to other customers.

The researchers are developing a prototype, Oprea says, and the next step is to make the system run on a commercial cloud computing platform to show that it works in practice.

Source