On 12-February-2012, the NSF (National Science Foundation) released a report on cloud computing research.  The NSF calls cloud computing a vital area in which to continue research investments.  Among the topics highlighted by NSF:

1. Cloud Architectures and Systems
2. Network Support for Clouds
3. Data Portability, Consistency, Availability, and Management
4. Programming Models for Clouds
5. Fault Masking in the Clouds
6. Cloud Security, Privacy,and Auditing
7. Cloud Debugging, Certification, Diagnosis,and Update
8. Cloud Self-Monitoring and Autonomic Control
9. Cloud Inter-Operability and Standardization
10. Green Clouds
11. Cloud test beds
    

From an architecture perspective, the report mentions Nebula.  "The NEBULA architecture achieves the three security properties of confidentiality, integrity and availability using a system approach."  This approach is supported by my dissertation research using the systems approach to design confidentiality and integrity into cloud based systems, specifically with respect to data privacy, authentication, and authorization.

The entire NSF report is available here: http://www.nsf.gov/pubs/2012/nsf12040/nsf12040.pdf
/jd

What kind of skills will you need to be competitive in the cloud computing environment? 

CIO has an article about what changes may occur and the skills required to be a technically effective in the cloud computing domain. 

I summarized the key points below:

1. Application Developers - learn new APIs, Non-relational DBs
2. Systems Administrators - less about running server, more about running environment
3. Architects - Bring together knowledge of cloud computing, enterprise architecture, storage, networking and virtualization
4. Capacity Planners - shorter forecast, quicker turnaround
5. Vendor Managers - Different cost models, contracts impact pricing

The gaping hole they overlooked is the "applications administrator" type role.  This the squishy layer between infrastructure maintained by traditional systems administrators, but not really managed by programmers and developers.  The role has emerged as applications administrator or middleware applications support.  The boundaries vary depending on the IT shop, skillset, management preferences, etc, but the role exists. 

Looking forward to the cloud this role will likely expand.  The ability to understand the complexities of interfaces, platforms, transactions, and data design within cloud systems will be a valuable skill to have.

Another omission from the article is security skills for the cloud.  Study after study details the caution of moving to the cloud due to security concerns.  Understanding penetration, vulnerabilities, and appropriate defenses is critical to designing and maintain cloud systems.

Finally, the cloud may be one of the more accessible technologies to learn.  The characteristics of accessibility and elasticity of the cloud lend themselves to training as well.  As mentioned in the article, a great way to learn about the cloud is find a cloud provider (AMZ, Rackspace, Eucalyptus, etc) and fire up some cloud systems.  Practice scripting, management, turning, and support on these systems at a relatively low cost (free in some cases).

Interesting draft from NIST on Security and Privacy Guidelines for Cloud Computing.  Researchers have found that "organizational identification and authentication framework may not naturally extend into the cloud and extending or changing the existing framework to support cloud services may be difficult." (Chow et al., 2009)

One alternative is to create a new "cloud" identity system.  Given the current state of information technology investment, it will likely be a "hard sell" to design, build, and support a second identity management system.  Another alternative is to adopt a combination of eXtensible Access Control Markup Language (XACML) and Security Assertion Markup Language (SAML).  The latter provides a secure mechanism to exchange "assertations" for authentication.  The former (XACML) offers the capability for a  cloud provider to control access to cloud resources in a standard/non-proprietary fashion.

The guideline paper concludes with this thought: "Many of the features that make cloud computing attractive can also be at odds with traditional security models and controls."

Source: NIST Guidelines on Security and Privacy in Public Cloud Computing

Brooks International has a good list of cloud computing events in 2012. 

Top Cloud Computing Events and Conferences

Events Scheduled for 2012
Cloud Expo 2012 – June 11-14- NYC – http://cloudcomputingexpo.com/

CLOUDCON 2012 – February 13-16, 2012 – Santa Clara, CA – http://www.cloudconnectevent.com/santaclara/

ICNC 2012 – January 30- February 2 – Maui, HI – http://www.conf-icnc.org/

CloudCon Expo – July 11-13, 2012 – San Francisco, CA – http://www.cloudconexpo.com/

Cloud Security Alliance Innovation Conference 2012 – January 26 – Silicon Valley, CA – https://cloudsecurityalliance.org/events/csa-innovation-conference-2012/

Cloud Identity Summit 2012 – July – Vail, CO – http://www.cloudidentitysummit.com/

IDGA 3rd Annual Cloud Computing for DoD & Government – February 21-23 – Washington DC – http://www.cloudcomputingevent.com/Event.aspx?id=619576

2012 Cloud Computing & Virtualization Conference & Expo – http://govcloudconference.com/Events/2011/Home.aspx

Parallels Summit 2012 – Profit from the Cloud – February 14-16 – Orlando, FL – http://www.parallels.com/summit/2012/

Cloud Fair Conference 2012 – April 17 – 19, 2012 – Seattle, WA – http://www.cloudfairconference.com/

Cloud/Gov 2012 – February 16, Washington DC – http://www.siia.net/cloudgov/2012/

Remaining 2011 Events

UP 2011 – Cloud Computing Conference – Mountain View, CA- December 5-9 – http://up-con.com/

CloudBeat2011 – November 30- December 1 – Redwood City, CA – http://venturebeat.com/events/cloudbeat2011/ CIO

Cloud Summit 2011 – December 8-9 – Scottsdale, AZ – http://www.ciocloudsummit.com/

Cloud Security Alliance Congress 2011 – November 16-17 – Orlando, FL – http://www.misti.com/default.asp?page=65&Return=70&ProductID=4985&LS=cloud

CloudCamp 2011 – November 19 – Chicago, IL – http://www.cloudcamp.org

If you would like to add your event to our list please contact [email protected].
Source: http://blog.brooksinternational.com/top-cloud-computing-events-and-conferences/

CIO Magazine reports:
Cloud computing, security and the mobile space hold the most growth potential in the coming years, according to IT professionals surveyed by tech staffing firm Modis.

No kidding?
Efficient (and/or affordable), secure, accessible.  I don't really see anything new here.  We did not need a new study to confirm these are potential growth areas.  One can look at the recent and current strategic plans of the FedGov, DoD, and industry leaders to confirm.

Read entire CIO article: http://www.cio.com/article/693125/Study_IT_s_Future_Lies_with_Cloud_Computing_Security_and_Mobile?source=CIONLE_nlt_insider_2011-11-07

John Roberts and Wasim Al-Hamdani presented on cloud security in the InfoSecCD '11 Proceedings of the 2011 Information Security Curriculum Development Conference.
Interesting resources in the bibliography section:

1. Y. Chen, V. Paxson, and R. Katz. What's New About Cloud Computing Security? Technical Report UCB/EECS-2010-5, Berkeley, 2010  
2. Pianese, F., Bosch, P., Alessandro, D., Janssens, N., Stathopoulos, T., and Steiner, M. 2010. Toward a Cloud Operating System. Network Operations and Management Symposium Workshops (NOMS Wksps).  
3. Jensen, M., Schwenk, J., Gruschka, N., and Iacono, L. 2009. On technical Security Issues in Cloud Computing. IEEE International Conference on Cloud Computing.  
4. Geer, D. 2009. The OS Faces a Brave New World. IEEE Computer Society Volume 42, issue 10 p. 15--17.  
5. Ertaul, L. and Singhal, S. 2009. Security Challenges in Cloud Computing. California State University, East Bay. Academic paper http://www.mcs.csueastbay.edu/~lertaul/Cloud%20Security%20CamREADY.pdf  
6. T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. "Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds." ACM CCS 2009  
7. A. Cavoukian, "Privacy in the clouds", in Springer Identity in the Information Society, Published online: 18 December 2008. http://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf
   
   Source: http://dl.acm.org/citation.cfm?id=2047458&CFID=57421764&CFTOKEN=12463119
   

Ariel Tseitlin and Yury Izrailevsky from Netflix share their approach to cloud adoption using "Simian Army" suite of tools.
Below are the definition of the various tools Netflix engineers created:

Chaos Monkey, a tool that randomly disables our production instances to make sure we can survive this common type of failure without any customer impact.

Latency Monkey induces artificial delays in our RESTful client-server communication layer to simulate service degradation and measures if upstream services respond appropriately. In addition, by making very large delays, we can simulate a node or even an entire service downtime (and test our ability to survive it) without physically bringing these instances down. This can be particularly useful when testing the fault-tolerance of a new service by simulating the failure of its dependencies, without making these dependencies unavailable to the rest of the system.

Conformity Monkey finds instances that don’t adhere to best-practices and shuts them down. For example, we know that if we find instances that don’t belong to an auto-scaling group, that’s trouble waiting to happen. We shut them down to give the service owner the opportunity to re-launch them properly.

Doctor Monkey taps into health checks that run on each instance as well as monitors other external signs of health (e.g. CPU load) to detect unhealthy instances. Once unhealthy instances are detected, they are removed from service and after giving the service owners time to root-cause the problem, are eventually terminated.

Janitor Monkey ensures that our cloud environment is running free of clutter and waste. It searches for unused resources and disposes of them.

Security Monkey is an extension of Conformity Monkey. It finds security violations or vulnerabilities, such as improperly configured AWS security groups, and terminates the offending instances. It also ensures that all our SSL and DRM certificates are valid and are not coming up for renewal.

10-18 Monkey (short for Localization-Internationalization, or l10n-i18n) detects configuration and run time problems in instances serving customers in multiple geographic regions, using different languages and character sets.

Chaos Gorilla is similar to Chaos Monkey, but simulates an outage of an entire Amazon availability zone. We want to verify that our services automatically re-balance to the functional availability zones without user-visible impact or manual intervention.

I like the approach of the Simian Army to simulate failures and keep systems healthy, responsive, and available.  Two follow-on thoughts:

1. Is the Simian Army a suite of COTS tools, homegrown scripts, or a combination of COTS customized.
2. What are the results of testing and simulation using these tools?

Would be great to see this in a case study format or detailed journal paper.
Entire post (Netflix) - http://techblog.netflix.com/2011/07/netflix-simian-army.html?m=1

National Institute of Standards and Technology cloud computing standards roadmap released Sept. 13.