Nov 25, 2011

Update on SKYY ETF: a few months in

Now that we've got a few months of trading of the SKYY ETF in under our metaphorical belt, it's interesting to see that it has dropped in price from a high of $20.58 to a low of just over $15 a share. It's currently trading at $16.97 (as of approximately 11:30AM Eastern time on Nov. 25, 2011).

The market for cloud based services doesn't seem to be slowing down. Google insight shows that searches for IaaS and PaaS still appear to be growing though those for SaaS may be waning a bit as it is a more mature market than either of the other two.

Maybe it's related to overall global market conditions, to the state of US government finances, or the performance of the tracked stocks but,ether way, it's not looking good for SKYY or its initial investors if they held it in their portfolio beyond the first week.

Nov 23, 2011

Platform as a Service. Remember that "aaS"?

So it seems that there has been more and more interest in platform as a service (PaaS) over the past year. Developers writing code for the cloud will definitely be happy as more and more tools are launched.

Mainly, I'm curious to see the rate of adoption of the various platforms. Will it be as tentative as infrastructure as a service was, or will it be more rapid given that the market's comfort level with cloud computing in general has increased?

My personal predictions:
  1. Developers will increasingly develop true software as a service applications (SaaS) and apps for the mobile world leveraging the elasticity of the platform and infrastructure.
  2. PaaS will be the battlefield for cloud. Much like the OS wars and the browser wars, the vendor whose platform is the most leveraged or used to develop cloud based software and mobile apps will win.
  3. Mobile will be a major driver for PaaS adoption.
.Net is one of, if not the dominant platform available to developers these days. Apple has Cocoa, SUN puts out Java, and a myriad other platforms like Ruby, Python, etc. are available for developers these days.

Will the winner of the PaaS war integrate multiple other languages as well, or will it force the market onto a standard offering of 1 (or 2-3) platform(s)? Will the other languages become niche platforms that smaller providers will offer?

There are many questions at this point with few answers but I suspect that the winning vendor will have to offer some options to remain relevant to the market and maintain overall leadership.

Nov 22, 2011

Innovation & Community Clouds--Part 2: Benefits of community clouds

So far, we've discussed what a community cloud looks like at a high level. In this post, we'll see a few of the benefits and take a look at a real-life example.

A community cloud, like any communal resource, is shared among stakeholders that have something in common such as regulatory requirements. This means that the cost of standing up a communal cloud versus individual private clouds can be significantly cheaper due to the division of costs among all participants. Think of it this way:
  • If organizations A, B, and C each implement their own cloud computing environment to meet regulatory requirements, and assuming that these costs are roughly the same, we have $A + $B + $C = 3x the cost.
  • However, if these organizations represent a community with common interests, then they can deploy a single cloud computing environment that meets all of their needs at some reduced cost; thus $(A, B, C) = 2x the cost of individual cloud environments (instead of 3x).
For this to work, the community needs to have some interest in its success, some skin in the game, so to speak. Joint ventures are a good example of such an arrangement. Each participant in the community contributes some consideration such as resources, funds, other assets, or some combination thereof, and ideally in equal proportions.

Another acceptable arrangement could be to outsource the management of the community cloud to a cloud provider. The advantage here is that the provider would be an impartial third party that is bound by contract and that has no preference to any of the customers involved other than what is contractually mandated.

Yet another arrangement would be for one of the participants to provide the cloud based services to its peers as a service provider. We already mentioned that the New York Stock Exchange (NYSE) is doing just that and will begin billing in a utility based billing model sometime in the near future.

One last thing that bears mention in this posting is the fact that community clouds can foster innovation. Typically, we think of community clouds as being horizontal in nature and encompassing similar organizations such as hospitals or government, for example. In fact, community clouds are not limited to horizontal integration, they can be vertically integrated like supply chains.

For example, a manufacturer produces a widget that is transported to a warehouse and distributed to retailers who then sell it to consumers. Tools residing in the community cloud can be used to leverage the information stored to serve customers and the supply chain, such as return tracking and just-in-time production and distribution. It is at this intersection of big data and tools that community clouds can really contribute to innovation.

Oct 16, 2011

Innovation & Community Clouds--Part 1: What is a Community Cloud?

In this three part series, I will provide an overview about what community cloud computing is, its benefits, and its disadvantages, and how it applies to real life examples.

We've all heard the term in passing, but, just what is community cloud computing? The NIST defines it as:
"...infrastructure [that] is shared by several organizations and [that] supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise."

Put simply, it's a shared service among a group of organizations that have similar needs or regulatory concerns. The shared service can be infrastructure (IaaS), platform (PaaS), or software (SaaS) and can be deployed in a private or hybrid model depending on the requirements and restrictions. These services are subject to the same criteria applied to cloud computing in general: broad network access to elastic pooled resources on-demand (self-service) in a utility based pricing model.

A community cloud can be created within a horizontal, in which a number of similar organizations participate (such as hospitals), or within a vertical, in which related but dissimilar organizations participate (manufacturer, transportation, wholesaler, retailer, end consumer, etc.).

Naturally, in any case where resources are shared among partners, an agreement must necessarily be in place to regulate and manage its usage. In either of the cases above, all participating organizations must agree on the nature of the services (including adherence to the strictest - often regulatory - requirements applicable to the partner organizations), how they will be shared, and on the procurement method for payment purposes.

As an example, the NYSE announced in a recent press release that it had built a cloud computing environment called the "Capital Markets Community Platform" through which they could "...enable customers to easily purchase the computing power required at a given time so they can focus on their core business strategy rather than complex IT infrastructure design and maintenance. It provides direct, on-demand access to the entire NYSE Technologies portfolio of high-performance, low-latency services..." Clearly, the NYSE and its partners and customers are constrained by security and regulatory requirements common to each of them and the service meets the NIST criteria for community cloud computing mentioned above.

In the next post, we will discuss the benefits of community clouds.

Oct 5, 2011

Takeaways from Carrier Cloud Forum @ Interop 2011

Today's takeaways from Interop 2011--Carrier Cloud Forum panel on "Building the On-Demand Cloud Infrastructure".
  • Private cloud, by definition, is not "infinitely" scalable like Amazon's EC2. The resources required to build such a solution would be prohibitive. In addition, private clouds are commonly being delivered and managed by service providers. Because of these characteristics, there are some that claim that private cloud is not truly cloud computing. Of course, managed services have been around a long time and there are still efficiencies to be had for customers who take advantage of carriers' economies of scale and scope.
  • Why service providers, why cloud?
    • Billing is crucial: unified billing is a major advantage for carriers who offer end to end services; pipe--DC--cloud in a one-throat-to-choke model. This also allows carriers to provide contractual SLAs on the full service offering.
    • Carriers already have a critical mass of customers who can benefit from this bundling as well.
    • Cloud computing depends on the network working and carriers own the network.
  • Carriers are looking for a partner who can provide a solution that is competitive with the big technology vendors; as robust an offering but with none of the drawbacks of a large organization.
  • Cloud computing is pervasive: it is difficult to see where it starts (i.e., define its boundaries) as it encompasses mobile, web, business applications, enterprise 2.0, social media...
  • What does "enterprise grade" or "carrier grade" really mean? IaaS is usually referred to as being built on servers that do not have redundancy inherently built into them (e.g., single power source, non-raided drives, etc.). Perhaps its better to drop the "enterprise grade" and simply refer to it as "carrier grade" since carriers have historically been concerned with providing redundant services (such as telephony, internetworking) the logic being that carrier customers want the reassurance that the hardware will be tolerant to failures.

Oct 4, 2011

Misc. Tidbits from Interop 2011

This week, at Interop, I attended Private and Public Cloud Days in which speakers discussed the relative merits, drawbacks, and case studies. I've compiled a few ideas that I thought were interesting:
  • Regarding private clouds, we have commonly referred to them in the context of dev/test, but in reality, their value is much more important as a way to deliver "IT as a service".
  • Since clouds are commonly built on hardware that is not designed with redundancy in mind, cloud computing does not automatically imply redundancy. High availability is included in the architecture of your instance footprint (e.g., no IP hardcoding, no DB source hardcoding, etc.) and application(s) running on it.
  • Redundancy costs money. Because of this, your organization needs to understand its tolerance to risk (and recovery point and time objectives (RPO/RTO)) and then design to meet this tolerance level.
  • "Big data" should be actionable. Instead of thinking in terms of data, think in terms of business problems and solving those.
  • Fear of lock-in from platforms (PaaS) is irrational since programmers have been locking themselves in by the simple act of choosing a programming language.

Aug 2, 2011

More on the SKYY ETF

After giving this some thought, it occurs to me that an exchange traded fund (ETF) might not be such a great thing for cloud computing: it does nothing to advance work being done on the technical or organizational fronts. This is simply a vehicle for investors and the fund's creator, First Trust (FT), to make money while not really risking anything. In effect, the companies tracked by this ETF do not benefit from it as they would from an IPO.

FT created SKYY to capitalize on cloud computing while not actually investing in any company. I can hear all of you capitalists and free marketeers having apoplectic fits. Don't get me wrong: I understand that in a capitalist society you make money when and how you can and continue to do so for as long as possible. When it was launched, FT stood to make about $20 a share and they made their money. (SKYY is currently trading at $18.24, its lowest point since its launch on July 6,2011.)

While the capitalist agenda resonates and makes it easy for investors to avoid risk by investing in a "diversified" fund, it does nothing to help companies and their customers who are on the forefront of the technology and business issues, confronting them on a daily basis. Dollars invested in a vaporous (pardon the pun) investment vehicle could have been spent on shares offered by the various tracked companies or, better yet, in companies that will IPO in the near future.

Leveraging someone else's work to make a dollar can be thought of as being dishonest or unethical. Yet here we are, making use of legitimate companies' efforts, without regard for the blood, sweat, and tears shed by its employees, all in the name of making a buck. Investors: put your money where it will make the biggest impact and invest in innovation. The returns for the economy will be greater.

Jul 13, 2011

SKYY: Cloud Computing ETF Basic Facts

First Trust launched the ISE Cloud Computing Index Fund (ticker symbol SKYY)  on July 6, 2011.

Currently, the fund holds a position in 40 companies (see below) classified into 3 categories
  • Technology conglomerate cloud computing companies
  • Non pure play cloud computing companies
  • Pure play cloud computing companies




(Table available at http://www.ftportfolios.com/retail/etf/ETFholdings.aspx?Ticker=SKYY, accessed July 13, 2011).

More information is available from First Trust:

Jun 28, 2011

FBI raid targetted Lulz Group?

Reports from news outlets (NY Times, CBC) suggest that the target of the FBI raid was Lulz Group, a hacker organization that are allegedly responsible for some high profile hacks such as Sony and, possibly, the CIA.

Regardless of the target, the FBI's tactics have been criticized as being heavy handed, though they may be justified in that the target was a purported hacker ring who may have had various assets stored on adjacent equipment hosted by their data center provider. While I am not a lawyer, it is incumbent on the FBI to ensure that all private information remains private and that it is not disclosed publicly, by accident or by design; the warrant should limit their investigation to information that is relevant to the target.

I will continue to look for information related to this event and will post more as it becomes available.

Jun 22, 2011

FBI raids data center in the US

Yesterday, the FBI reportedly raided a data center in Reston, Virginia, (unknown at this time but Verizon, CoreSite, Net2EZ, DFT, Quotecolo, and others have facilities in the area), as reported in the NY Times Bits blog.

The interest in the legal aspects of cloud computing has been a very important topic of discussion and debate over the past couple of years. The most obvious case is the use of the PATRIOT Act to obtain information and data from service providers and how that could impact the privacy and confidentiality of data.

The main issue with PATRIOT is that the subpoena is secret and, as such, not subject to challenge by the target, presumably to protect the nature of the investigation when ferreting out terrorists or their supporters. Every service provider/vendor I've spoken with has claimed that they will (paraphrasing) "comply with the letter of the law" while "vigorously defending their customers' rights". While it is not clear which data center provider was raided nor what their actions were (comply with defense or simply comply) is unknown.

The bottom line is that the FBI used a heavy handed approach when investigating a single organization (Lulz Security group, according to the NYT). And it is this very approach that is cause for concern to foreign governments and other organizations such as financial services companies and the principal reason behind reluctance to put data in the cloud. Or anywhere in the US now.

Thanks to those who Tweeted and Retweeted about this to make us all aware of the situation. I will try to find additional information and post as it becomes available.

May 18, 2011

Follow up on Obama's Cyber Security bill

Just a quick note to say that the full text of Obama's cyber security bill is now available online.

Should be interesting to watch this develop and see how this will impact Internet business and cloud computing.

Cloud perspectives survey: private cloud computing

Just posted a short survey on private cloud computing.

I'm interested to know more about the different perspectives on private cloud computing throughout organizations, from the corner office down to Individual Contributors who are the backbone of any organization.

The survey itself shouldn't take more than 10-15 minutes to complete and, if you provide your email address at the end of the survey, I will send you a free copy of the report for your private use.

So please head over to the survey and fill it out!

Thanks!

May 16, 2011

Shouldn't companies WANT to protect their assets?

Last week, CNET reported on the White House's proposed cyber security law "[that is] designed to force companies to do more to fend off cyberattacks".

The law seems to address shortcomings in critical infrastructure security moreso than private industry though there does appear to be language that requires the disclosure of security breaches by private companies. this approach, presumably, would provide consumers with information regarding a business' security policy and could affect the choices consumers make. This non-regulatory position adopted by the White House is interesting because as it echoes the Canadian Radio and Television Commission's (CRTC) position of letting market forces shape the industry.

Is a non-regulatory approach appropriate? Would the US Government randomly audit companies to determine their level of security? Would that be sufficient to force companies to do more to ensure security? Probably not, given the number of companies in t he US and the rate at which new vulnerabilities are discovered. Requiring companies to disclose breaches could work if market forces are adequately informed.

It will be interesting to see how this legislation is applied to the cloud and which of the parties, vendor or consumer, will be held accountable for maintaining appropriate levels of security given that most contracts currently put that burden squarely on the shoulders of consumers.

The fact that legislation is even required to force companies to maintain adequate cyber security systems begs the question: wouldn't companies WANT to protect their assets anyway?!

May 2, 2011

What does the election in Canada and cloud computing have in common? Issues with Article 329.

Canada is a big country. Really. Big. So big, it has 6 time zones; by the time the West coast wakes up, the East coast has already had 3-4.5 hours of productive time. So big, in fact, that election results from the East coast are available before polling stations close on the West coast. And, if you Tweet, blog, or post on a wall in Facebook about results in the East before polls have closed in the West, you're breaking the law. Go figure.

In this day and age of social media and ubiquity of computing, the ability to share information is so great, that it can accelerate revolution. You know, the kind that deposes authoritarian governments? Despots aside, this technology can land you in trouble if you share election results. There is a section of the Canada Elections Act that governs "Premature Transmission":
"329. No person shall transmit the result or purported result of the vote in an electoral district to the public in another electoral district before the close of all of the polling stations in that other electoral district."
In a sense, social media is the wild west: it is difficult to control and regulate, applicable laws are a grey area at best, and there are as many opinions are there are users. What, then, is the responsibility of the service providers such as Twitter and Facebook? Private information being what it is, and terms of use being what they are, are Twitter and Facebook, US based companies, obligated to divulge private information of users who are being investigated by Elections Canada and/or the RCMP for violations of Section 329? Can Canadian users hide behind US companies?

Assuming that the charges are specific, which they would be considering the infraction, these organizations would simply comply with a subpoena or warrant. Not to mention that your hardware would be confiscated and used to collect evidence against you. What does this mean? Your footprint is out there. Even if you delete an account, data persists in backups and can be used to build a case against you.

Obviously this was intended to keep elections fair and to avoid influencing voters in an era of television and radio broadcasts. Clearly, the Elections Act never contemplated that information could be shared in such an environment as the Internet, and particularly, in social media. Changes to the electoral procedure have reduced this discrepancy between East and West down to 1.5 hours but this gap is sufficient to be in violation of the law.

Legalities and discourse on right and wrong aside, this is a good example of a Government's right to prosecute an individual and obtain private information in an effort to enforce law. However archaic it may be.

Apr 2, 2011

Takeaway #5 from Cloud Connect 2011 - Security schmecurity?

Security remains an important issue for cloud adopters. But to what extent is security truly preventing them from adopting cloud based services? Is it really that big of a deal?

Of course security is a real issue in IT; as a company doing business on the Internet, security is one of those things that, if you get it wrong, your business can be seriously hurt by the consequences. Security threats range in complexity but all have one thing in common: people are the main security threat, always have been, and always will be, through ignorance, accidental misconfiguration, or malicious behavior.

So why, then, is security in the cloud such a big deal? Governance. There is a lack of visibility into the security of cloud based services generally due to the nature of the contracts and the remedies offered as well as the lack of regulation whether it be industry, government, or some combination of the two.  In Canada, privacy law requires that the owner of private information (the organization(s) to whom the individual has provided the information) ensure that the information is held in confidence by whatever vendor/service provider makes legal use of that information. This means that the Government has mandated industry to regulate itself by making the organizations liable for any disclosure of that information including that by a third party such as a cloud services provider.

At its core, this is an issue of risk tolerance; how tolerant is an organization to risk. The answer to this question is not complete without considering the tolerance to the magnitude of the impact to the organization (say $ for argument's sake). Basically, The greater the risk and the greater the impact, the more reluctant organizations will be. This is the basis for a basic risk response matrix.
(There are obviously more complex risk tolerance matrices, but it is sufficient for the purposes of this posting. Accept=make use of cloud based services as is. Mitigate=take measures to offset risks such as including remedies in contracts. Avoid=don't make use of cloud based services.)

There are those, even some at Cloud Connect 2011, that are claiming that security is a non issue. Unfortunately, most organizations are still worried about it and beg to differ. Countless polls prove this point. That said, this shouldn't be anything new to us. This very same argument/concern/issue has been dealt with before. At least twice: during the rise of e-commerce as we know it and again around the increase in outsourcing. Why is cloud any different? Let's figure out a way to secure our services, federate them, govern them, and then let's move on!

OK, so I oversimplified. The point is, there is too much discussion and not enough action. SaaS vendors have caught on. Their contracts address the issue of security. So, if customers want it, why aren't more vendors providing it, and why are yet others claiming that it's not a big deal?

Mar 25, 2011

Takeaway #4 from Cloud Connect 2011 - eBay and Cost Savings

By now, everyone has looked at Neal Sample's presentation from Cloud Connect 2011 (arguably the most important keynote as far as I am concerned) of how eBay makes use of the public cloud. I dare say, that they have shown significant and very real cost savings.

Up until early March, the best we could do was theorize and sort of guesstimate at how much could be saved on costs by making use of a cloud based architecture; how much were servers costing, what was their utilization, how many person hours were spent managing them, etc. vs. spinning up AWS instances and shunting excess or unplanned workload into the public cloud. Many vendors offer their own version of cost/benefit calculators and "financial checklists" but they mostly miss the point: consumers of cloud based services need to be honest with themselves about how they consume IT assets and services before they can really estimate their cost savings. eBay did that. They looked at the whole enchilada, discovered where their efficiencies or inefficiencies lie and showed huge cost savings.

I have no doubt that eBay's model has inspired at least a few organizations to look at their utilization. The trick is for them to decide what is right for the organization. eBay's model certainly isn't a one-size-fits-all. It is up to individual organizations to understand their asset utilization profile, their tolerance to risk, and to see how cloud based services fit into their governance model before making such a leap, however compelling it may be.

Mar 19, 2011

Takeaway #3 from Cloud Connect 2011-Vendor Lock-in

A major concern about migrating to the cloud is vendor lock-in. The chief complaint is that, once a vendor is chosen, it is difficult to switch to another vendor without incurring additional switching costs. This has spurred discussion around standards.

Essentially, consumers want their cake and to eat it too; they want vendors to compete for their business but also want the ability to easily switch vendors should they see fit. From a vendor's perspective, making proprietary APIs available to customers helps reduce the likelihood that they will go to a competitor because of the cost to re-architect their application. Similarly, storing large quantities of data in the cloud ensures higher customer retention because of the high(er) cost of transmitting data from one vendor to another (it is significantly cheaper to get data in than out). And, "Data doesn't like to move". (Quote attributed to an unknown attendee at Cloud Connect.)

From a purely hypothetical and selfish perspective, it is not impossible that vendors would prefer a situation where APIs remain proprietary eliminating portability of applications much like the situation with data storage. It seems that, assuming that standardization is inevitable, storage will be the game winner for many cloud vendors.

Mar 15, 2011

Takeaway #2 from Cloud Connect 2011

On our pre-panel and panel discussion at Cloud Connect, Krishnan Subramanian of CloudAve brought up an interesting point about cloud adoption in Africa and India and even discusses it in his blog. To these I would also add China. Given their populations, there is a massive business opportunity there that may yet be untapped.

Essentially, the masses in Africa, China, and India are well versed in mobile communication due to its relative affordability and even prefer mobile phones over personal computers and laptops. As Krishnan points out, this platform is well suited to the delivery of cloud based services.

However, it is not the mobile end user that will increase adoption/utilization of cloud based services; it is the startups and innovators that recognize the opportunity to deliver mobile applications, and who will leverage cloud based services themselves in such delivery, who will do so.

That said, there is still a major barrier on the path to widespread use of cloud based services in Africa and India: latency (see Cedexis' analysis of cloud latency presented at Cloud Connect 2011 for details). Internet access to the African continent, Chine, and India is generally slow (in the 400ms+ range) due to the high costs of provisioning bandwidth and delivering telecommunications infrastructure, especially in the interior of Africa. This, in effect, is one of the reasons that mobile devices have proliferated: transmission towers only require power and line of sight to transmit data over long distances.

There were over 850 million mobile phones in China and 771 million mobile phones in India in January, 2011, and another 250 million more in Africa at the end of 2008. This should give some idea as to the size of the opportunity.

Mar 11, 2011

Takeaway #1 from Cloud Connect 2011

Cloud Connect this year was excellent and brought with it some maturity to cloud computing.

It seems that there was some consensus about whether it's all about public or private clouds with proponents at both ends of the spectrum. To paraphrase, it's not really about the hardware any more.
  • A purely public cloud is somewhat of a holy grail - a "cloudtopia", to coin a term - and can only occur once all regulatory hurdles, such as privacy concerns, have been overcome. Will this ever happen? No one knows for sure.
  • Private cloud seems to be the solution for those organizations and industries that have a low tolerance to risk and prefer to control their environment. How can these organizations relax their governance?
In my opinion, cloud will converge on a hybrid model due to regulatory and confidentiality requirements. Consumers of cloud based services will make them what they need them to be with a mix of public and private as they see fit.

There is no doubt that adoption is gaining momentum (double and triple digit rates for the current leaders); regulatory authorities and industry must now engage each other to further advance the agenda instead of staring at each other and wondering who will blink first.

Mar 9, 2011

Changing Concepts of Privacy and Self

Larry Clinton, President and CEO of the Internet Security Alliance, brought up an interesting point regarding privacy during his session at Cloud Connect: subsequent generations will think differently about privacy. This may or may not force law makers to reconsider the definition of privacy and their related laws.

To illustrate this, and I'm paraphrasing this next bit, he gave an example of teens using Facebook and the future risk of employers finding unacceptable content during a hypothetical interview process. "By that time, the interviewer will have had their own Facebook page and won't care what's on mine." It is interesting to think that the concept of self, also changed by the Internet, has been redefined to include a digital self or reasonable facsimile (Facebook, LinkedIn, Twitter, etc.) and has blurred personal boundaries.

Privacy law and regulation may need to change. Current privacy laws in Canada, the US, and more extensively in the EU, protect private information. It is not unreasonable to think that, at some point, it will be up to the individual to opt to disclose information of their choosing. That said, the cost of retooling the laws and implementing processes capable of permitting such freedom might be prohibitive.

Mar 7, 2011

Great examples

Great examples, use cases, and scenarios in Jinesh's session on migrating to the cloud. Helps to reinforce the idea that migrating operations to the cloud is a multi-step process and not something that can be done on a whim.

GRC/security in cloud computing

Jinesh just echoed some thoughts I've been incubating regarding security and risk: GRC/security boils down to risk tolerance. If you have a high tolerance to risk, then there is no problem using AWS; if you have low tolerance to risk, involve your security team early and often and make them a part of the decision making process.

Comment from the audience: "My legal wants to redline the AWS contract but I don't think Amazon would go for that." According to Jinesh, Amazon has a legal team that is available to address legal concerns. I will have to look into this given the work that the team at QMUL did on cloud based services contracts.

Basic strategy for moving to the cloud

Flexibility is key. Spinning up instances, regardless of whether they are with AWS or not, needs to be easy, scalable, and allow for various operating systems, development environments/programming languages, and databases.

There are 2 basic strategies that are common to Startups, SMBs, and Enterprises: create new services/apps; migrate existing services/apps.

Justification for the business depends on TCO and must balance the cost of capital to acquire infrastructure vs. the expense of leasing temporary infrastructure.

Going to take a closer look at the AWS "economics" later.

Breakdown of Amazon's cloud based services

Good basic overview of Amazon's cloud based services and how they interrelate. Graphical representation of:
  1. Infrastructure (compute, storage, network, database); includes global physical infrastructure
  2. Platform (parallel processing, payments, content delivery, workforce, messaing, email)
  3. Cross service features (authetication and autorization, monitoring, deployment and automation)
Jinesh also explained how ISPs can resell AWS instances with margin using DevPay. Wondering what the developer/channel/spot market dynamics will be.

Wonder how many of the services are home grown vs. COTS white labeled. Anyone know?

$25 credits for everyone!

Starting off well. Jinesh gave out $25 credits to AWS to all participants.

Goals:
  1. What to move to the cloud?
  2. What services to use, when, and how?
  3. How to build applications to leverage AWS
Morning session is a  lab portion to help participants learn how to set up AWS. Afternoon is devoted to more conceptual topics such as architecture and migration.

Liveblogging @ Cloud Connect

This morning I am attending Jinesh Varia's session on "Moving to the Cloud Step by Step" at Cloud Connect.

I'll try to live blog as best I can.

Mar 3, 2011

Meet the BoD of the CSA, Canada Chapter

After a long nomination period for election to the Board of Directors, it all came down to one candidate per position after a few withdrawals.

The BoD for the CSA, Canada Chapter is:
Chairperson--Brian Baird
Vice Chairperson--Tyson Macaulay
PR/Communications--Pano Xinos
Secretary/Membership--Ron Boulanger
Education--Jon Whittington
Treasurer--Geofferey Chen


Membership is also growing steadily. The CSA, Canada Chapter LinkedIn subgroup is now up to 50 members up from the 23 we had at the time of our kickoff call in mid January.

Cloud Connect

Just a quick note to say that I will be participating in a panel at Cloud Connect on Thursday, March 10th, 2011. The panel is entitled, "A Global View of Connected Computing." The panel is moderated by Chad A. Fentress, Director of Compliance at Accenture. My co-panelists are: Krishnan Subramanian, Analyst at Cloud Ave; Ditlev Bredahl, CEO of OnApp.com; Carlos Viniegra, Head of the Digital Government Unit, Ministry of Public Administration, Government of Mexico; and Jeroen Tjepkema, CEO of MeasureWorks.

Cloud Connect is the one event that brings together cloud customers and cloud operators who are looking to accelerate their cloud strategy while driving growth and innovation. See the latest cloud technologies and learn from thought leaders in Cloud Connect’s comprehensive conference and expo.

Follow my tweets (@pmxinos) from Cloud Connect and other tweets using hashtag #ccevent.

Feb 21, 2011

Of Clouds and Contracts


I've been ruminating on the topic of contracts for cloud based services for some time.  I had started reading AWS and Google terms of service to see what they had to offer when Alistair Croll, Principal at Bitcurrent, pointed me in the direction of some research that was done in the UK (see below). This is a first pass on what's been banging around in my head for a little while and there is more than likely going to be a second pass at some point in the near future to expand on/update/correct what I write here today.


It is true that consumers and vendors of cloud based services need to clearly distinguish between "reasonable expectations" by, as Darrell Plummer of Gartner says, using a common language, the contract. However, it is clear that service level agreements which are universal in basic IT service contracts and that are taken for granted generally do not apply to cloud based offerings; they take on new meanings given the new environments in which computing power is consumed and data is stored on demand.

Point in case: the phrase, "service level agreement," does not appear in the AWS contract. The closest it gets to an SLA is to lay out the "availability" of the service as follows:

7.1. Downtime and Service Suspensions. In addition to our rights to terminate or suspend Services to you as described in Section 3 above, you acknowledge that: (i) your access to and use of the Services may be suspended for the duration of any unanticipated or unscheduled downtime or unavailability of any portion or all of the Services for any reason, including as a result of power outages, system failures or other interruptions; and (ii) we shall also be entitled, without any liability to you, to suspend access to any portion or all of the Services at any time, on a Service-wide basis: (a) for scheduled downtime to permit us to conduct maintenance or make modifications to any Service; (b) in the event of a denial of service attack or other attack on the Service or other event that we determine, in our sole discretion, may create a risk to the applicable Service, to you or to any of our other customers if the Service were not suspended; or (c) in the event that we determine that any Service is prohibited by law or we otherwise determine that it is necessary or prudent to do so for legal or regulatory reasons (collectively, "Service Suspensions"). Without limitation to Section 11.5, we shall have no liability whatsoever for any damage, liabilities, losses (including any loss of data or profits) or any other consequences that you may incur as a result of any Service Suspension. To the extent we are able, we will endeavor to provide you email notice of any Service Suspension in accordance with the notice provisions set forth in Section 15 below and to post updates on the AWS Websites regarding resumption of Services following any such suspension, but shall have no liability for the manner in which we may do so or if we fail to do so. 
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly, without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and appropriate, to (a) use encryption technology to protect Your Content from unauthorized access, (b) routinely archive Your Content, and (c) keep your Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorized access or use, corruption, deletion, destruction or loss of any of Your Content or Applications.
(Source: AWS Customer Agreement accessed upon sign-up to AWS EC2 services Feb. 13, 2011.)


By contrast, Google Apps Premier terms include a service level agreement by reference (both accessed February 21, 2011) that guarantees uptime of 99.9% (which amounts to about 43 minutes of downtime, measured at the server) though it's unclear if it's consecutive or aggregate downtime. Of course, the customer is left to try to claim the service credits offered as a remedy based on user experience which is not taken into account in Google's determination of availability.

The Cloud Legal project (accessed Feb. 15, 2011), conducted by Simon Bradshaw et al. at the Centre for Commercial Law Studies at the Queen's University of London, determined that contracts vary greatly among cloud based service providers though there some overarching templates and language that are common to various discrete groups of unrelated providers. This is, as far as I know, the most extensive survey of contracts for cloud based services available.

This is a first pass on contracts and I fully expect to write more in the near future. In the meantime, if you're looking for some light bed time reading, there's always the City of LA contracts with CSC/Google (posted by InfoLawGroup, accessed January 12, 2011)...
Effectively, Amazon is washing its hands of any responsibility/liability for its or anyone else's actions that might have an adverse effect on their customers. From a governance perspective, customers are left to fend for themselves and accept, rather than mitigate or avoid, risks.

Feb 20, 2011

Gartner defends its MQ for IaaS and hosting

At the risk of seeming like I'm jumping on the bandwagon, and amid much flak from the community over its apparently misguided Magic Quadrant for Cloud IaaS and Web Hosting Providers (link to GoGrid's website), I can't say that I fully agreed with Gartner's assessment of where they positioned Amazon.

That said, Lydia Leong, Research VP at Gartner, did post a rebuttal of sorts to whatever criticism Gartner received. In her post, Leong makes the case that the MQ was for IaaS AND web hosting providers which is why Amazon was placed in the visionaries quadrant. This logic, by itself, was enough to satisfy me that the MQ was basically correct.

But, then I started thinking that Gartner missed the mark on the subject of the MQ: IaaS can be considered as a form of web hosting, but it's a stretch. IaaS and web hosting as fundamentally different in that the former is a service that is rapidly available on demand (among other characteristics published in the NIST definition) while the latter is an engagement that requires managed services and is billed on a monthly basis.

Enter Leong again who wrote that Gartner was preparing to publish a mid-year version of the MQ only, this time, it was going to be cloud only. This seems to indicate that Gartner made the same logical leaps I did and is now committed to providing a more accurate layout of the competitive landscape for IaaS. The one lingering doubt I have is how Leong framed it:

"The mid-year version will be cloud-only, specifically the self-provisioned “virtual data center” segment of the market."



I'm not quite sure about how Gartner is defining "self-provisioned 'virtual data center'" and how they will rank the contributing organizations.

Despite this,  I am am very curious to know how it turns out and look forward to reading it through. If anyone from Gartner reads this and would like to send me a copy, I'd be more than happy to read it through and post my thoughts. ;)

Jan 6, 2011

Cloud Security Alliance, Canada Chapter has Traction!

Just a quick note to say that we now have more than 20 charter members for the Cloud Security Alliance, Canada Chapter (LinkedIn group). The formal process of forming the chapter has begun with CSA's review of the membership, followed by a kickoff in late January to introduce the members, select the chapter's areas of focus, and discuss our mission and structure.

If you are located in Canada and are interested in joining us, please visit the membership drive thread and post a message that you would like to join. I will contact you for your contact information thereafter.