Larry Ellison, CEO of Oracle just announced that Oracle was launching a brand new cloud computing service. Think for a minute how profound this is given Ellison's resistance to cloud computing since 2008.
In 2008, Ellison had some sharp words about the subject:
"The interesting thing about cloud computing is that we've redefined cloud computing to include everything that we already do. I can't think of anything that isn't cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women's fashion. Maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?"
In contrast, Vivek Kundra, CIO of the U.S. Federal Government was an advocate of cloud computing, “I believe it's the future," he says. "It's moving technology leaders away from just owning assets, deploying assets and maintaining assets to fundamentally changing the way services are delivered“ (CIO, 2008).
The excerpts above were from my ACM and ISE Security award nominated dissertation research posted here: http://scholars.indstate.edu/handle/10484/2031
On 12-February-2012, the NSF (National Science Foundation) released a report on cloud computing research. The NSF calls cloud computing a vital area in which to continue research investments. Among the topics highlighted by NSF:
From an architecture perspective, the report mentions Nebula. "The NEBULA architecture achieves the three security properties of confidentiality, integrity and availability using a system approach." This approach is supported by my dissertation research using the systems approach to design confidentiality and integrity into cloud based systems, specifically with respect to data privacy, authentication, and authorization.
The entire NSF report is available here: http://www.nsf.gov/pubs/2012/nsf12040/nsf12040.pdf
What kind of skills will you need to be competitive in the cloud computing environment?
CIO has an article about what changes may occur and the skills required to be a technically effective in the cloud computing domain.
I summarized the key points below:
The gaping hole they overlooked is the "applications administrator" type role. This the squishy layer between infrastructure maintained by traditional systems administrators, but not really managed by programmers and developers. The role has emerged as applications administrator or middleware applications support. The boundaries vary depending on the IT shop, skillset, management preferences, etc, but the role exists.
Looking forward to the cloud this role will likely expand. The ability to understand the complexities of interfaces, platforms, transactions, and data design within cloud systems will be a valuable skill to have.
Another omission from the article is security skills for the cloud. Study after study details the caution of moving to the cloud due to security concerns. Understanding penetration, vulnerabilities, and appropriate defenses is critical to designing and maintain cloud systems.
Finally, the cloud may be one of the more accessible technologies to learn. The characteristics of accessibility and elasticity of the cloud lend themselves to training as well. As mentioned in the article, a great way to learn about the cloud is find a cloud provider (AMZ, Rackspace, Eucalyptus, etc) and fire up some cloud systems. Practice scripting, management, turning, and support on these systems at a relatively low cost (free in some cases).
Interesting draft from NIST on Security and Privacy Guidelines for Cloud Computing. Researchers have found that "organizational identification and authentication framework may not naturally extend into the cloud and extending or changing the existing framework to support cloud services may be difficult." (Chow et al., 2009)
One alternative is to create a new "cloud" identity system. Given the current state of information technology investment, it will likely be a "hard sell" to design, build, and support a second identity management system. Another alternative is to adopt a combination of eXtensible Access Control Markup Language (XACML) and Security Assertion Markup Language (SAML). The latter provides a secure mechanism to exchange "assertations" for authentication. The former (XACML) offers the capability for a cloud provider to control access to cloud resources in a standard/non-proprietary fashion.
The guideline paper concludes with this thought: "Many of the features that make cloud computing attractive can also be at odds with traditional security models and controls."
Source: NIST Guidelines on Security and Privacy in Public Cloud Computing
Brooks International has a good list of cloud computing events in 2012.
Top Cloud Computing Events and Conferences
Events Scheduled for 2012
Cloud Expo 2012 – June 11-14- NYC – http://cloudcomputingexpo.com/
CLOUDCON 2012 – February 13-16, 2012 – Santa Clara, CA – http://www.cloudconnectevent.com/santaclara/
ICNC 2012 – January 30- February 2 – Maui, HI – http://www.conf-icnc.org/
CloudCon Expo – July 11-13, 2012 – San Francisco, CA – http://www.cloudconexpo.com/
Cloud Security Alliance Innovation Conference 2012 – January 26 – Silicon Valley, CA – https://cloudsecurityalliance.org/events/csa-innovation-conference-2012/
Cloud Identity Summit 2012 – July – Vail, CO – http://www.cloudidentitysummit.com/
IDGA 3rd Annual Cloud Computing for DoD & Government – February 21-23 – Washington DC – http://www.cloudcomputingevent.com/Event.aspx?id=619576
2012 Cloud Computing & Virtualization Conference & Expo – http://govcloudconference.com/Events/2011/Home.aspx
Parallels Summit 2012 – Profit from the Cloud – February 14-16 – Orlando, FL – http://www.parallels.com/summit/2012/
Cloud Fair Conference 2012 – April 17 – 19, 2012 – Seattle, WA – http://www.cloudfairconference.com/
Cloud/Gov 2012 – February 16, Washington DC – http://www.siia.net/cloudgov/2012/
Remaining 2011 Events
UP 2011 – Cloud Computing Conference – Mountain View, CA- December 5-9 – http://up-con.com/
CloudBeat2011 – November 30- December 1 – Redwood City, CA – http://venturebeat.com/events/cloudbeat2011/ CIO
Cloud Summit 2011 – December 8-9 – Scottsdale, AZ – http://www.ciocloudsummit.com/
Cloud Security Alliance Congress 2011 – November 16-17 – Orlando, FL – http://www.misti.com/default.asp?page=65&Return=70&ProductID=4985&LS=cloud
CloudCamp 2011 – November 19 – Chicago, IL – http://www.cloudcamp.org
If you would like to add your event to our list please contact Karen@brooksinternational.com.
CIO Magazine reports:
Cloud computing, security and the mobile space hold the most growth potential in the coming years, according to IT professionals surveyed by tech staffing firm Modis.
Efficient (and/or affordable), secure, accessible. I don't really see anything new here. We did not need a new study to confirm these are potential growth areas. One can look at the recent and current strategic plans of the FedGov, DoD, and industry leaders to confirm.
Read entire CIO article: http://www.cio.com/article/693125/Study_IT_s_Future_Lies_with_Cloud_Computing_Security_and_Mobile?source=CIONLE_nlt_insider_2011-11-07
John Roberts and Wasim Al-Hamdani presented on cloud security in the InfoSecCD '11 Proceedings of the 2011 Information Security Curriculum Development Conference.
Interesting resources in the bibliography section:
Ariel Tseitlin and Yury Izrailevsky from Netflix share their approach to cloud adoption using "Simian Army" suite of tools.
Below are the definition of the various tools Netflix engineers created:
Chaos Monkey, a tool that randomly disables our production instances to make sure we can survive this common type of failure without any customer impact.
Latency Monkey induces artificial delays in our RESTful client-server communication layer to simulate service degradation and measures if upstream services respond appropriately. In addition, by making very large delays, we can simulate a node or even an entire service downtime (and test our ability to survive it) without physically bringing these instances down. This can be particularly useful when testing the fault-tolerance of a new service by simulating the failure of its dependencies, without making these dependencies unavailable to the rest of the system.
Conformity Monkey finds instances that don’t adhere to best-practices and shuts them down. For example, we know that if we find instances that don’t belong to an auto-scaling group, that’s trouble waiting to happen. We shut them down to give the service owner the opportunity to re-launch them properly.
Doctor Monkey taps into health checks that run on each instance as well as monitors other external signs of health (e.g. CPU load) to detect unhealthy instances. Once unhealthy instances are detected, they are removed from service and after giving the service owners time to root-cause the problem, are eventually terminated.
Janitor Monkey ensures that our cloud environment is running free of clutter and waste. It searches for unused resources and disposes of them.
Security Monkey is an extension of Conformity Monkey. It finds security violations or vulnerabilities, such as improperly configured AWS security groups, and terminates the offending instances. It also ensures that all our SSL and DRM certificates are valid and are not coming up for renewal.
10-18 Monkey (short for Localization-Internationalization, or l10n-i18n) detects configuration and run time problems in instances serving customers in multiple geographic regions, using different languages and character sets.
Chaos Gorilla is similar to Chaos Monkey, but simulates an outage of an entire Amazon availability zone. We want to verify that our services automatically re-balance to the functional availability zones without user-visible impact or manual intervention.
I like the approach of the Simian Army to simulate failures and keep systems healthy, responsive, and available. Two follow-on thoughts:
Entire post (Netflix) - http://techblog.netflix.com/2011/07/netflix-simian-army.html?m=1