Citrix StorageLink Video Challenge
Posted by Chris in Citrix, Desktop Virtualization, Server Virtualization, Storage, XenServer on March 5th, 2010
I was recently asked to judge the Citrix StorageLink Video Challenge and will serve as an independent voice on a panel that includes Citrix’s Simon Crosby and John Fanelli. I have to admit that it was pretty smart of Citrix to place an analyst on the panel of judges. Now if Citrix’s vendor partners don’t like the results, they can just blame me.
Anyway, the video challenge is very interesting. Storage vendors put together videos to demonstrate the value of their technology to the Citrix StorageLink product line. The user community will vote for the most innovative video, and the panel of judges will dole out awards in the following categories:
- Best storage for desktop virtualization deployments
- Best storage savings (TCO)
- Best performance
There is very good participation in the contest, and videos were submitted from the following vendors:
- DataCore
- GreenBytes
- HP
- LSI
- NetApp
- Nexenta
I’m always interested in community input, so you have an opinion on any of the award categories, please feel free to post it as a comment or send it privately to me through my contact page. Voting closes on April 18th, so vote and send me any feedback that you have soon.
RSA, Intel, and VMware Take a Big Step Forward in Cloud Security
Posted by Chris in Cloud, Server Virtualization, Storage, Xen on March 3rd, 2010
Yesterday RSA announced new controls for virtual infrastructure security in cloud environments. Concerns regarding security and compliance have been primary factors preventing large enterprises from placing production workloads on shared virtual infrastructure in the cloud. Yesterday’s announcement and proof-of-concept didn’t solve all of public cloud’s security woes, but it brought us closer to a practical solution. In case you missed it, you can read a detailed overview of the solution in the RSA security brief “Infrastructure Security: Getting to the Bottom of Compliance in the Cloud.” Even if you’re not ready for public cloud, many of our clients have expressed concerns over mixing security zones or subzones on internal private cloud infrastructure. Instead of supporting multi-tenancy (i.e. multiple departments traversing multiple security boundaries), the conservative IT organization isolates security zones using dedicated physical infrastructure (e.g., separate physical clusters, network ports, and storage). Even if you build in security controls in the virtual infrastructure, how do you expose them to the auditor? To date, that has been a problem.
In the past, I have talked about this security dilemma in a couple of couple of key areas. First, we need a standardized set of cloud isolation levels. We also need standard metadata (either de facto or industry standard) so that third party audit tools can properly query an application’s relationship to cloud security policy in relation to virtual and physical controls that are in place. I covered those issues in more depth in the post “The Cloud Mystery Machine: Metadata Standards.” In addition, virtual resources need to be able to answer the question “Where are you?” That applies to both the runtime location and data location. It’s important to ensure that data privacy and governance concerns are met, and regulatory compliance issues such as data export restrictions are satisfied. Ideally, the answer to the question will provide details on the hardware root of trust (the hypervisor and physical infrastructure is secure), relationship to defined pre-defined security tiers (the RSA POC uses “platinum,” “gold,” and “silver",” and “bronze,” for example), and provides the detail needed to prove that both data and application runtime security requirements are satisfied.
Rather than summarize all of the goodness in the RSA announcement, I’ll focus on the areas where it still falls short. For starters, neither EMC nor Cisco were part of the POC. So the existing model does not detail concerns such as data location and the privacy of data at rest. Naturally, there is quite a bit that you would expect Cisco to offer too. The Nexus 1000V has plenty to offer when it comes to security inspection and enforcement on shared virtual infrastructure: L2-4 ACLs, SPAN, ERSPAN, AAA, and more. Naturally, any de facto tiered security models offered by RSA and its partners should go as far as to include advanced network and storage requirements, and I expect them to do so over time.
Now that RSA, VMware, and Intel have taken this big step toward satisfying the security concerns associated with shared infrastructure-as-a-service (IaaS) architectures, it’s time to be transparent on metadata structure. If each service provider builds its own proprietary metadata schema, we’re in trouble. Instead, vendors such as VMware need to define a more robust metadata schema within the .vmx configuration file. In a perfect world, VMware would toss .vmx to the side and work with the DMTF to take the XML-based .ovf standard from a standard for VM importing to a standard for runtime metadata. If we had that, RSA, VMware, and Intel can continue on their current path, and third party vendors could add their own custom controls as well. In addition, the standard could be applied to all hypervisors, such as Hyper-V and XenServer.
While I expect this announcement and forthcoming innovations to be a boost to public cloud providers, the work of RSA, VMware, and Intel will pay immediate dividends for each organization’s internal cloud plans. The more compute resources that can be shared, the lower the capital and operational expenses to run the data center. Solutions that enhance visibility, improve security, and create opportunities to share more physical infrastructure are no-brainers, in my opinion. I could spend much more time discussing the details of the RSA POC, but I’ll leave that for the RSA white paper. Also, if you would like to hear more about where this solution is going, I encourage you to attend Catalyst Europe next month. RSA CTO Bret Hartman will detail RSA’s vision for cloud security at the conference, and will be on-hand to answer your questions as well.
The Next Gen Desktop’s Cloudy Future
Posted by Chris in Cloud, Desktop Virtualization, Server Virtualization on March 2nd, 2010
Over the past few years, I have talked with several dozen Burton Group clients who are struggling with defining their next generation desktop and application delivery architecture. They often like the idea of the server-hosted virtual desktop, but not the cost. In addition, many of our clients are increasingly looking at cloud-based application delivery frameworks such as software-as-a-service (SaaS) and platform-as-a-service (PaaS). For example, several of our clients use the Salesforce.com customer relationship manager (CRM) SaaS-based application. The result- users get a rich application assessable from anywhere with a web browser, and IT sees a low total cost of ownership (TCO) for the CRM application. Other Burton Group clients have evaluated Microsoft Exchange via SaaS services, while others are keeping an eye on PaaS offerings such as Microsoft Azure.
Besides SaaS and PaaS, infrastructure-as-a-service (IaaS) is increasingly growing in popularity. One of the most common ways to deliver IaaS is by leveraging hardware-infrastructure-as-a-service (HIaaS) platforms (e.g., VMware vCloud, Amazon EC2, or Citrix Cloud Center). For the majority of our clients, their initial entry into HIaaS has started by building private clouds to host applications in virtual machines. HIaaS as a backend for desktop-as-a-service (DaaS) is on the radar of many of our clients. For several, 2010 plans include virtual desktop pilot projects, and small deployments by the fall. Note that while I’m being relatively light on the definitions, you can read Burton Group’s detailed perspective on cloud in the following free report “Cloud Computing: Transforming IT.”
If you’re wondering “What’s the point?” here it is. Application delivery does not have to begin and end at the virtual desktop, and in many cases will not. SaaS and PaaS services will increasingly play a role in delivering applications to end users. Presentation virtualization technologies such as Citrix’s XenApp will do so as well. XenApp as the delivery mechanism for internal SaaS, combined with the Citrix Receiver, for example, provides the framework to publish Windows applications to a variety of endpoints (e.g., notebook, netbook, iPhone, iPad, thin or zero client, and thick client). So in the end we’re winding up with several layers of application services that need to be seamlessly delivered to the end user. This means that security policy enforcement and identity management, for example, will need to traverse each service layer. For most organizations today, leveraging SaaS applications requires users to maintain a separate login for each provider. Identity federation in support of single sign-on access to cloud services will be a key enabler in the delivery of converged cloud services. Others (e.g., Microsoft and Novell) have tried and failed in the past, but this time the stakes are different. Strong interest in cloud services provides the use case waiting for a solution.
If we take the delivery of converged cloud services to the client endpoint, we get to what should be a divide between two user experience domains: personal space and work space. The endpoint device may include a client hypervisor to securely separate both personal space and work space, as shown below.
Granted, what I’m talking about here isn’t revolutionary. Many vendor examples relating to a bring-your-own-device delivery model highlight the need to separate personal space and work space, but they fall short in their inclusion of other relevant cloud application delivery services. In fact, I blogged about this approach a year ago. Independent analyst Brian Madden went a step further and predicted that 90% of virtual desktops will run on client endpoints.
To summarize, we need to keep the focus of application delivery on the application. If a call center’s application delivery requirements is best suited by a low-end device that uses a web browser to present applications to users via SaaS, then so be be it. If the application delivery requirements warrant a server-hosted virtual desktop, then that’s OK too. Still, in my opinion, IT’s future is about managing each user’s work space, and we should be looking at technologies that simplify delivery and presentation of converged cloud services. The winning vendor, and the one that drives a user’s work and/or personal space, is the one that nails the presentation of converged cloud delivery. I’m not sure who the winner will be, but I know that the winner won’t be the vendor going after this problem with a narrow view of the typical enterprise’s application delivery requirements. What do you think? We will be talking about these topics at Catalyst Europe in Prague next month, and I hope to see you there.
VMware Acquisitions… New Management Direction or More of the Same?
Posted by Chris in Cloud, Server Virtualization, VMware, Virtualization Management on February 26th, 2010
Yesterday VMware acquired several products from EMC’s Ionix management portfolio: Server Configuration Manager (formerly Configuresoft), FastScale, Application Discovery Manager (formerly nLayers), and Service Manager (formerly Infra). In my opinion, the move makes sense because the products will get considerably more traction under the VMware brand than as part of the EMC Ionix umbrella. VMware has successfully launched several new management products resulting from acquisition or internal development – Lab Manager, Lifecycle Manager, CapacityIQ, and Site Recovery Manager – to name a few. I expect similar success for the products that were under the Configuresoft and Fastscale brands as well (prior to their acquisition by EMC).
While a broad management portfolio is needed, seamless integration is far more important to our clients’ cloud initiatives (with a heavy reliance on automation) than a platform consisting of several required but disjointed products. I recently discussed these concerns in greater detail in these posts:
- The Cloud Mystery Machine: The Need for an Infrastructure Authority
- VMworld Day 1 Keynote – A Few Thoughts
That brings me to VMware. The process of collecting “functionality checkboxes” is a longstanding strategy taken by leading management vendors. Rather than integrate, vendors too often rely on product marketing. I think this picture from oddlyspecific.com captures the essence of enterprise management product marketing pretty well.
Let’s face it. It’s far easier (and less costly) to tell an integration story via creative product marketing than it is to actually commit the engineering resources to build a truly integrated solution. In other words, let’s take a management platform built to solve a specific problem years or decades ago, and bolt on some other products to make it relevant to today’s management challenges. The big four in management (i.e., BMC, CA, HP, and IBM) have historically taken this approach, and one could say that VMware is doing the same. In addition, one could argue that CA’s 3Tera acquisition is another “sign of the times.”
When vCenter and its backend database were originally architected, enterprise cloud management wasn’t the goal. VMware has already commented on its work regarding a Linux-based vCenter VM appliance. I see the movement to the vCenter VM appliance as VMware’s chance to get vCenter right, with the extensibility needed to grow the vCenter schema as cloud management requirements further mature.
Over the last couple of years, VMware has worked to transition itself into a management company. I blogged about this transition at VMworld 2007 and my Gartner colleague Cameron Haight also discussed this trend in his 2007 document “Why VMware Must Morph into a Management Company.” If that transition follows historical patterns, VMware’s clients should worry. Automation and infrastructure-as-a-service are far too complex to be solved by legacy bolt-on management approaches. The existing disconnect between VMware’s DRS service and other management products or features such as vShield Zones and CapacityIQ are just two examples, but there are plenty more. VMware’s problem, like many, is not that the left arm doesn’t know what the right arm is doing. If the arms were attached to the same body, that would be a good start. Instead, we have a bunch of individual cooks, all with their hands in the virtual infrastructure pot. VMware made a good move yesterday to broaden it’s management portfolio; however, they have a lot of work to do. Cloud and infrastructure-as-a-service are highly disruptive to traditional IT operational management, and in turn creates opportunities for new vendors to unseat the big four in the enterprise management space. Following a path that leads to legacy bolt-on style disjointed enterprise management isn’t going to cut it. That being said, I know that VMware is smarter than that, and let’s hope their clients won’t be led down a path with a familiar ending.
The Cloud Mystery Machine
In some situations, mysterious is cool. Pop culture often embraces certain entertainers because “they’re mysterious.” When it comes to cloud, some folks appreciate the fact that cloud is mysterious too. In several conversations over the past twelve months, I’ve heard some semblance of the following phrase uttered “All you need to care about is the application and the SLA.” Factors like physical infrastructure don’t matter. Or do they?
In 2010, we need to take steps to make the cloud less mysterious. If it’s less “cool,” then that’s a good thing, because that probably means it’s becoming a more serious platform for enterprise IT. However, if we’re going to get serious about cloud, a lot of work remains. The following posts highlight areas that I think should be points of focus in 2010:
A large percent of our clients are very serious about cloud, but they want to see traction. They’re tired of making the same complaints about virtual infrastructure management and orchestration and seeing no results. A large portion of my 2010 Burton Group research will be devoted to private cloud architecture and management. Aside from highlighting what’s needed, I’ll be focusing on practical management methods that can be used today. Also, I think the issues I highlight in the posts below are just the tip of the iceberg. Cloud storage, for example, is still a work in progress. What else is needed? I welcome your comments.
The Cloud Mystery Machine: Infrastructure Matters
This post continues the discussion in my “The Cloud Mystery Machine” post.
Contrary to the utopian cloud model many espouse, underlying infrastructure still matters, especially when you consider application performance and the ability to satisfy SLAs. Most folks are well aware of virtualization live migration incompatibilities between Intel and AMD platforms, but what about substantially reduced performance between Intel platforms? For example, consider an enterprise application that realizes a substantial performance benefit from Intel’s hardware-assisted memory virtualization – Extended Page Tables (EPT). XenApp, Exchange, and SQL are among the many applications that benefit from EPT. Moving the application to a cloud platform without EPT support could result in significantly degraded performance. If you have no information on a cloud service’s underlying hardware infrastructure, you may not know about the lack of EPT support until you start getting complaints about application performance. Then what do you do? Ideally, when a user or application requests infrastructure services from a cloud provider, there should be a mechanism for specifying low-level hardware requirements such as EPT.
When it comes to trusting critical applications to cloud service providers, not all organizations are keen on the idea of trusting an application to a white box server with memory acquired from the lowest bidder. Ditto for back end storage. This is one of the reasons why initiatives like VCE are important. A cloud provider offering services on known and trusted hardware is important to many decision makers. Sure you may pay a little more for the service, but for many IT decision makers, that’s OK. SLAs are only as good as a provider’s capability to honor them. Without knowledge of the provider’s infrastructure, you may be rolling the dice. Take the recent HostV failure as an example. While phrases such as “All you need to worry about is the SLA” sound good in theory, today they’re simply not practical. If cloud providers truly want to enable services such as application bursting to cloud, then they need to provide interfaces that accept very specific infrastructure requirements. Open Virtualization Format (OVF) is the best option we have for importing VMs to foreign infrastructures, and it’s extensibility allows room for custom metadata today. So there’s really no reason why service providers can’t offer such capabilities today. Also, there’s no reason why a service provider shouldn’t be transparent about their physical and virtual infrastructure. If a provider isn’t offering the detail you need to feel comfortable, then move on. There are plenty to choose from.
The Cloud Mystery Machine: Metadata Standards
This post continues the discussion in my “The Cloud Mystery Machine” post.
Open Virtualization Format (OVF) is a good start for standardizing definitions for VM metadata; however, let’s not forget that today OVF is only used to import VMs to a proprietary virtual infrastructure, and has no use at runtime. That being said, if you move a workload to the cloud, do you know where it is? You may think “Why do I care?” Organizations concerned with issues such as data export restrictions and data privacy care. When using virtualization platforms in the cloud, some workloads will require the identification of the physical runtime location and physical data location. In addition, the location of the application execution in relation to other systems within the shared physical infrastructure is also important. An auditor should be able to collect such information via a standard query. Unfortunately, that’s not possible today. Today, thanks to OVF’s extensibility, it’s technically possible for a VM to communicate its security requirements to a service provider, although I have yet to see a cloud service provider use OVF in such a way.
Providing simple and industry recognized methods for identifying VM and data location in the cloud is a difficult problem to solve. Again, the question isn’t just about where, but also about the relationship to required isolation mechanisms, whether they be virtual or physical firewalls, isolated virtual or physical network segments, or isolated storage, for example. Of course, how the provider defines “isolated” is equally important. Last year, I talked about the need for standardized cloud security models in this post. This is a difficult problem to solve, and that’s why all vendors that have a stake in cloud computing need to begin working on such standards today. And speaking of standards, unfortunately I doubt we’ll see an industry standard that addresses cloud infrastructure location and isolation issues anytime soon. Instead, I’m looking at vendor combinations such as VMware/EMC/RSA or Microsoft/Citrix/HP to deliver solutions that emerge as de facto standards in the coming years.
The Cloud Mystery Machine: Licensing
Posted by Chris in Cloud, Licensing and Support on February 11th, 2010
This post continues the discussion in my “The Cloud Mystery Machine” post.
Cloud computing and hardware infrastructure as a service (HIaaS), in theory, should allow organizations to move workloads to the cloud and manage licensing just as they always have with managed hosting services in the physical world. However, the problem with current licensing models such as Microsoft’s Service Provider Licensing Agreement (SPLA) is that they require licenses to be bound to physical hardware. Physical hardware bindings removes the capability of IT organizations to manage licenses when they have no idea of the hardware on which their applications reside (it may change from day-to-day). So far, service providers have dealt with the licensing issue by building licensing costs into their service fees. In other words, you need to tell the service provider your application needs and the provider must manage licensing compliance on your behalf. If you want to take your already-purchased Microsoft licenses to the cloud, you’ll need to lease dedicated physical hardware from the service provider.
Asking service providers to take on license management for thousands of applications is impractical and is one more barrier to public cloud infrastructure adoption. Some service providers may support a few dozen applications today, but many organizations have thousands of applications. 2010 marks a year where Microsoft can show industry leadership and change licensing so that application license management is transferred from the service provider to the end user organization. The SP provides the virtual infrastructure, the organization uses it. Application licensing based on concurrency or user seats has always been infrastructure agnostic. Heck, Microsoft already has a similar model with its Client Access License (CAL). All that’s needed is to remove the physical binding requirement for application server licenses. As I’ve said before, we are moving away from device-centric computing. We’re shifting away from hardware as the definition for a user’s working environment, and that includes both client and server applications. It’s time the major players in the enterprise application market evolve their licensing policies to meet the agility requirements of today’s enterprise.
The Cloud Mystery Machine: The Need for an Infrastructure Authority
This post continues the discussion in my “The Cloud Mystery Machine” post.
Private cloud is a key 2010 objective for many Burton Group clients. However, our clients are consistently frustrated by the difficulties of on-demand service and mobility in virtualized environments. Until we get closer to having a virtual infrastructure center of the universe, these problems will persist. For example, suppose you setup soft security zoning using VMware’s vShield Zones. Does your third party orchestration product consider zoning restrictions prior to moving a VM to a particular server? Considering that VMware’s own Distributed Resource Scheduler (DRS) service doesn’t have such capabilities, it’s unlikely that any third party tool will either. In fairness, VMware hasn’t exposed such features through their SDK, so its unfair to ask vendors to support something in which they have little control.
When it comes to orchestration, everything falls apart without a central metadata store. Call it an infrastructure authority (IA), or whatever you like. The bottom line is that if a tool wants to place an object somewhere within a cloud infrastructure, there needs to be a central place where it can check to make sure the physical location offers the necessary resources (compute, memory, networking and storage I/O) and security policy isn’t violated in the process, among other concerns. We don’t need to re-invent the wheel. Instead, we need to take existing virtual infrastructure management databases and evolve them so that they can act as the central authority for all infrastructure decisions. Microsoft’s System Center suite of products already supports some extensibility and third party integration. VMware’s Virtual Center (VC) supports third party plug-in integration, but extensibility is taboo. If the VC database was extensible, issues such as downstream storage I/O would factor into VM placement decisions today. Virtual Instruments, for example, has the technology to do it, but their hands are tied. I’m hopeful that the infrastructure authority is something that VMware and Microsoft can lead in 2010. No vendor can own the universe. How many have to try and fail to prove it doesn’t work? Server hardware vendors acting as though each enterprise infrastructure should be homogeneous is a perfect example. VMware, Microsoft, Citrix, and other members of the virtualization community need to get serious about the complexities of managing an increasingly agile infrastructure, and give their software partners the APIs and meta database extensibility they need to fuel innovation.
In the end, the IA may not comprise just a single vendor solution, but involve collaboration from multiple vendors on what may emerge as one or more de facto standards. Many technical (e.g., CPU, memory, network, and storage requirements) and non-technical (e.g., security, location, organizational policy, and SLA) requirements determine the feasibility for VM mobility and placement. In my opinion, enterprises will continue to lack confidence in true virtual infrastructure/private cloud self-service and automation until we have some type of centralized infrastructure authority. What do you think?
Webcast: Re-architecting Backup and Recovery for Virtual Environments
I recorded a webcast today on the subject of best practices for re-architecting backup and recovery for virtual environments. If you’re interested, you can view the webcast below, or click here to view the webcast in a separate window.
Recent Comments