The VMworld Europe day one keynote featured VMware CEO Paul Maritz outlining VMware’s future vision, with particular attention paid to the cloud. Maritz’s session is already available online, so I’m not going to write a point-by-point summary of his keynote. Instead, I’ll focus on a few key thought-provoking topics:
- Standards-based vs. proprietary cloud architectures
- Security and compliance in the cloud
- VMware/Intel client hypervisor announcement
- Mega merger in the works?
Standards-based vs. Proprietary Cloud Architectures
Maritz spent time on the need for public and private cloud standards that promote application migration between different cloud platforms or service providers. By migration, I’m not referring to any type of live migration. Instead, interoperability should remove lock-in to a particular cloud provider and provide enterprises with greater negotiating leverage when evaluating service providers or renewing existing contracts. VMware is painting a very nice vision here.
Security and Compliance in the Cloud
A number of cloud providers (terremark, IT Structures, EngineYard, and Logica) took the stage to describe their technology, which is built on VMware infrastructure. In each case, the service provider described an easy-to-use management model, but not one provider talked about the issue of regulatory and security compliance. Our clients have continued to indicate the compliance remains the primary barrier for enterprise cloud adoption, so I was surprised that none of the providers addressed this concern. If providers want enterprises to seriously consider their platforms, then they will have to do a better job articulating a solution to the existing compliance and security concerns around public shared infrastructure. Reading between the lines, I think it’s implied that cloud service providers currently do not have a working solution for compliance validation on shared infrastructure. If a provider does have such a solution, I would like to hear it.
Ideally, I would like to see a DoD-like standard security model for cloud service providers. For example, assume that the following options were available:
- Level A: Dedicated physical and virtual infrastructure, including dedicated server and networked storage assets.
- Level B: Dedicated virtual and physical server infrastructure, shared/logically zoned storage infrastructure (clients receive dedicated LUNs, but data traverses a shared physical SAN).
- Level C: Shared virtual and physical infrastructure, isolation provided by dedicated virtual security appliances (e.g., VM firewalls, IDS, IPS).
- Level D: Shared virtual and physical infrastructure, no appliance-based segmentation and isolation (isolation provided via VLANs).
I like the tiered model because it can be easily consumed by an enterprise’s security auditors. Am I being overly simplistic here? Sure. But we need something. And the time to start defining a cloud security model is now. Until that happens, I expect our enterprise clients to continue rolling their eyes each time public cloud infrastructure is mentioned in a vendor keynote. My sample model is meant to be just a starting point for discussion. We need something, and a tiered model would work.
VMware/Intel Client Hypervisor Announcement
VMware announced collaboration with Intel on a client hypervisor. This announcement was almost identical to a similar announcement from Citrix and Intel last month. To be honest, I was hoping to hear from VMware that they would be doing a little more than Citrix – i.e. – upping the virtual ante. Instead, my impression that was Intel is treating VMware and Citrix as equal citizens. Nothing in the VMware-Intel announcement shows any more innovation by VMware over Citrix. Still we’re far too early down the client hypervisor road to declare a leader, since neither Citrix nor VMware is shipping a product. In fact, the only vendor shipping a client hypervisor today is Neocleus.
Mega Merger in the Works?
As time continues to pass and VMware looks at its hole in the enterprise management space, I see the question of a merger with a major enterprise management vendor as now being about when and not if. Here’s what I’m thinking – a BMC merger or acquisition with either VMware or one of its major partners (i.e. Cisco) makes sense on a number of levels. VMware needs a management and orchestration stack that addresses the physical infrastructure (and so does Cisco for that matter). If VMware wants to be a major player (and not a role player) in the future data center, it will need an enterprise management solution. If we take this one step further, what would the impact of a VMware-BMC-Cisco-EMC merger be? Alessandro Perilli has done a nice job covering Cisco acquisition rumors on virtualization.info (see here and here). Personally, I don’t see the public mutual respect between VMware, BMC, and Cisco as nothing more than a needed group hug. Is the fact that Bob Beauchamp (BMC CEO) has been predominantly quoted in the recent NY times article on Cisco’s data center plans a coincidence? I doubt it. In fact, I can see a Cisco acquisition of BMC as a real possibility. Stay tuned. The drama that is good enough for a virtualization reality show is only going to intensify in coming months.
#1 by Christofer Hoff - February 24th, 2009 at 19:39
Hey Chris, great stuff.
Two points:
1) On the tiered security models, I’m working on something very similar based on the Cloud model on my blog which is paired with controls at each layer COMBINED with something Jeanna Matthews, Tal Garfinkel and I call “service contracts” — similar to the “security requirements” stuff that Steve referred to last year re: vCloud. Stay tuned for that…it really dovetails nicely into the points I’ve raised on internal/external, nee public/private, etc. Clouds.
2) As to the merger stuff, I can totally see Cisco buying VMware. Makes sense. On the BMC front, don’t forget that BMC is rumored to be the management platform being used by Cisco as part of their Project California initiative…so Becuchamp’s reflection on Cisco’s DC strategy makes sense from that perspective regardless of any “merger mania.”
Again, great stuff. Like to run the security stuff I’m working on by you at some point.
/Hoff
#2 by Chris - February 25th, 2009 at 08:24
Thanks, Hoff. Great feedback. I would definitely like to see your cloud security work. Based on what’s already included in your blog, I am sure it will be very well received.
#3 by Ophir Kra-Oz - February 26th, 2009 at 05:46
Hi Chris,
We didn’t talk about security because we only had three minutes :)
I was previously managing the VPN product line in large security company , so I’m aware of the problem.
We are using different security mechanisms to help our customers.
Honestly, the big challenge is not insides the infrastructure ( your A-D levels) but connecting to the cloud from to the internet, but just to your cloud.
Basically we provide on demand VPN and single sign on to help that.
I can share more if you are interested.
Ophir, IT structures
#4 by Chris - February 27th, 2009 at 08:18
Thanks for commenting, Ophir. I am definitely interesting in hearing more about your security mechanisms. I understand the role of the VPN in protecting data in transit, but I would also like to hear about the safeguards used by IT Structures to protect data at rest. Many of our clients today will not use any shared infrastructure out of concerns with audit failures. We have talked with PCI auditors who will automatically fail a service deployed on external shared infrastructure (and internal in some cases). In fact, I hear these types of concerns all the time. I think that the more that providers like IT Structures offer to ease security and compliance fears, the more willing the typical large enterprise will be to consider such solutions. Thanks again for the comments and perspective. Also, I didn’t mention it before, but your VMworld demonstration was outstanding.