Yesterday’s trip to Cloud Camp Boston was most interesting. The keynote gave a good overview of what cloud computing is, where it came from and where it is headed.
After the keynote, a few questions were posed by the audience, which were then used as proposals for topics for the breakout sessions. Several people were picked from the audience to be on the initial panel, and to pick one of the questions to answer. Our very own Natasha was on the panel, and she did a terrific job answering the question about how to choose a cloud provider.
The crowd seemed to be heavy marketing, business, and sales engineer types- I ran into only one other system admin type. My question about benchmarking and performance testing on cloud systems unfortunately was not among the most popular choices.
The breakout “unconferences” were informative, covering a wide variety of topics such as security, storage, Azure, databases, getting developers to think cloud, deploying mission critical apps in the cloud.
I went first to the Security unconference, which was attended by about 25 people, including a couple of storage guys. There were also several folks who were thoroughly knowledgeable about security concerns and requirements.
Some standout issues:
- How does one have confidence in the security of cross tenant isolation in a multi-tenant cloud system?
- How does one ensure the security of the data in the cloud storage environment?
- What happens if the hypervisor is breached (through a vulnerability, virus, or other)?
- How do we limit exposure at the endpoints (i.e. data on the laptop, mobile devices)
- How do we manage keys and credentials in the cloud?
- What different levels of data “importance” or “risk” are there, and how do we handle exposure risk? (ie.credit card information is more “important” than transaction numbers)
- One can outsource responsibility for security, but one cannot outsource “risk”
- Re: responsibility: a large Ivy League school had to negotiate for two years with Google over their EULA to be comfortable with the level of responsibility that Google shouldered.
As you can see- while there are specifics to cloud security, many of the issues are the same issues we already need to deal with. I spoke with one gentleman from Exultam who was in Risk Assessment and Compliance.
One of the things he noted was that in conversations with him, firms would hand over their ISO-XXXX compliance statements (which covers all of the above PLUS) thinking they were done. However, after that- there was a huge amount of work
Still needed on the security front- and one of the biggest holes was the “personal” factor- passwords written on post-its, single access levels, data treated as “all important” or “not important” with no recognition of intermediate levels.
The second session was about storage. About 15 of us were in that group. Several folks from EMC, Microsoft, Exultam, SliceHost, an open source project called Twisted Storage, and several independent consultants were in attendance. EMC mostly teased the Twisted Storage guy- who took it all in good humour. The most interesting discussion came from one of the consultants. He discussed the handling of large (ginormous) datasets. He noted:
- There is a vast difference in handling datasets of 2-500 Terabytes of data, and 1 petabyte or more
- When dealing with these huge datasets- you generate them where they will live
- Backups are currently highly impractical for that amount of data, so this data is often not backed up
- The systems that contain and manage this data must be self healing
- Since you can’t move the data to the computers (computes), the computes must be moved to the data
- Private clouds help accomplish the above (#5) but don’t solve everything
- Given #2 above, we still have the problem of data needing to live in multiple locations
There was also discussion of security, access levels, data importance, and the difference in view of that data importance between legal and IT.