Cloud computing is the buzz word du jour. Fortunately, it is backed up by substance and potential value to the enterprise. But going blindly into the cloud is not a good idea. That could lead to the adoption of insecure public cloud resources, bit-and-piece implementation and headaches up the road (and other things!).
What is needed is a comprehensive approach to cloud computing that confronts the realities of the technology and takes into account the mindset of the organization. Perhaps the biggest objection to the cloud is the fear of IT insecurity. Until the executive structure and line of business teams are comfortable with the security of the cloud, no PO is going to be passed.
For related articles, please visit Internet.com’s new cloud computing site.
“Security is very important to us, but traditional security technology is very expensive and has a lack of visibility into virtual environments,” said Anil Karmel, IT manager at Los Alamos National Laboratory. “For the cloud, security needs to be simple, cost-effective and adaptive.” By adaptive, Karmel is talking about such features as being able to move a virtual machine (VM) from one host to another and have its security policy move with it.
Karmel is in the thick of a major cloud roll out. Los Alamos looked at three different ways to implement the cloud: private, public and hybrid. The organization opted for the private option for its infrastructure on demand (IOD) project due to security concerns. IOD has a web portal at the front end, Microsoft SharePoint as its workflow systems and automation engine, VMware vCloud Director as the glue to hold together the cloud, and VMware vShield Application/Edge to implement security policy throughout the cloud.
Within the IOD, Los Alamos creates security enclaves that compartment the various virtual environments. For example, rules within vShield have been set up to prevent one desktop from attacking others. Sets of desktops can be placed within an enclave that have common characteristics, access rights and so on. Servers, are kept within a more protected enclave.
“If a VM or virtual desktop is compromised, it is moved into a remediation enclave which doesn’t have network connectivity,” said Karmel. “It is placed there automatically once the intrusion is detected.”
Authentication also plays an important part in the Los Alamos security strategy. Any user requesting a virtual machine has to be authenticated. That request is then validated by two other authenticated sources in order to be approved. Yet the entire workflow can be done in an hour or two. “You have to build best practices around your workloads,” said Karmel. “But take it one step at a time. Go virtual first and then transition to the cloud.”
Before you can journey to the cloud, though, there may be a whole lot of internal politics, entrenched operating groups and special interests to overcome. Take the case of professor Greg Ganger of Carnegie Mellon University (CMU). He has long envisioned cloud computing for CMU. “As one of the top research and computer education universities in the world, we need to be a leader in data center operation,” he said.
Tradition, however, dictated that each department and each research team at CMU procure, built and manage its own compute resources. The result was a hodge-podge of resources with low server utilization. He could see very clearly that one pool of common resources would be cheaper, more efficient and would provide far more concentrated compute power than any one department could muster. But gaining acceptance for the concept was another matter entirely.
He first surveyed all areas to ascertain server utilization rates, server populations. He took his findings to the top management of CMU administration — the institution was running at less than 25 percent utilization per server and currently had four or five times more servers than it actually needed. That added up to colossal potential savings in power, cooling and IT budgeting.
Realization: a new data center was something worth investing in.
But executive buy-in was no means enough. Each community also had to be convinced. Ganger is part way through the process of closing each department and research team on the value of this virtual data center and its pool of resources. And in the meantime he has the funding and is rolling out a cloud based on HP CloudStart technology, VMware, Samsung Advanced Memory and Intel processors.
“You can’t move people to the cloud until the cloud exists,” said Ganger. “HP came in and helped us set up a cloud in less than thirty days in a new data center.”
Step by step, he is moving through the teams to negotiate on behalf of the cloud. Some get it and are whole heartedly behind it. Some have chosen to wet their feet on minor projects to see how it goes, and others remain reticent. “We have to convince them that they won’t lose the dedicated servers they need during their peak periods,” said Ganger. “There is understandable fear that they won’t be able to meet their research and publication deadlines.”
While CMU has a chargeback model in place, it isn’t implementing it yet. It needs to coax most users onto its cloud, get them happy with it and only at that point can future funds can go to expanding the cloud instead of to localized research teams.
Funding of cloud projects in the current climate might not meet with much enthusiasm. So it might well take creative budgeting to push the project through. Take the case of Kevin Carr, director of IT for the County of Denton, Texas. He wanted a cloud, but there was a problem. Not only did he have no budget, he was in the midst of cutbacks at a time when he was running out of space, network bandwidth, power and cooling in his data center. No funding was available.
He took a cold hard look at his options. Some money was sitting there, allocated to the replacement of aging physical servers. He did the math and worked out how to use virtualize his 150 physical servers so that he didn’t need to buy any more boxes. “We took all the money we were going to spend for new servers and used it to virtualize them,” said Carr.”We didn’t need to ask for a new budget.”
The result is a more efficient virtualized data center with all the capacity he needs. Server provisioning is now done in minutes and he has the resources to allocate as many virtual servers as users request. The next step is the desktop.
“We have commenced a small virtual desktop pilot to take over the management of desktops for other agencies that want access to our network,” said Carr.
Drew Robb is a freelance writer based in Los Angeles specializing in technology and engineering. He has a degree in Geology/Geography from the University of Strathclyde in Scotland. He is the author of Server Disk Management in a Windows Environment, as well as hundreds of magazine articles.