Security Experts:

Whose Cloud is it, Anyway?

VMware recently appeared to confirm they are working with public cloud providers to build vCloud-based offerings under the name vCloud Hybrid Cloud Service. This is an interesting approach, though they haven’t yet provided all of the details. As Gartner's Chris Wolf pointed-out, going from being an “enabler” to having offerings that compete with Amazon should not be a surprise. He further observes they are a bit late to the game. How might they overcome this challenge?

The most significant advantage VMware has is very high market share of management tools organizations use for their private cloud deployments. This is important because it helps deliver the public cloud promise of “cloud bursting”, which is the ability to temporarily move or expand a workload that normally runs on a private cloud out to a public cloud to take advantage of extra computing power. It’s an easy thing to say, but when we start looking at the variety of hypervisors and management tools being used, things get murky. Theoretically, being a provider that uses the same management tools and hypervisor as most private clouds is an advantage.

Cloud Computing Consider endpoint security; in the case of VMware, endpoint anti-malware of the file system can be provided using vShield Endpoint. The advantage is the performance bottlenecks associated with full systems scans, updates, and upgrades of the security software are mitigated by moving the bulk of the anti-malware functionality to a virtual appliance. However, vShield Endpoint is tied to the underlying hypervisor. There is one virtual appliance per host, and they don’t travel well (really, not at all), nor can VMs use a virtual appliance on a different host.

Could a public cloud provider include vShield Endpoint functionality as a value-add, then? Yes, but not really. Today, a protected VM can be moved from one host to another in a private cloud, and ideally, public cloud is an extension of private. The practicality of it starts to get complicated if the public host isn’t dedicated to the organization using it. There’s no guarantee of which host an instance is running on.

The current implementation of vShield Endpoint is designed for private datacenters. The direct link to hypervisor API’s throws a wrench into the system, which should seamlessly deliver public cloud computing. This is why security vendors that are serious about operating in both public and private clouds have developed hypervisor-agnostic endpoint security. Endpoint, network, storage, and other areas of security do not work in public clouds if they are dependent on the underlying infrastructure via hypervisor API’s. These API’s were developed with private cloud in-mind, and so they are not multi-tenant friendly. This is a show-stopper for providing infrastructure as a service -abstraction from the infrastructure is the whole point.

Let’s back-up a few steps, though. Is cloud bursting actually important? I’d argue while it’s a cool idea, it’s really not important today. Take a generic use-case – let’s say a company needs to double their email throughput capacity for three months a year (an income tax service company, for example). Do they really need to move the edge MTA (mail transfer agent) to public cloud for three months? No, they don’t. They need to clone the MTA and add an entry to their MX records to have email flow to both their private and public MTA’s. The same could be said for web servers, or anything else that can be dropped behind a load balancing/distributing mechanism. Things do get complicated as we move toward the data where things are transactional (how do I ‘clone’ a database to public cloud for three months, and then bring it back, with no down-time, lost transactions, or other wrinkles?).

If we stick to the generic use case, we can accomplish the extension or duplication of workloads today, with minimal effort. Amazon provides tools to convert a Windows system running in a private datacenter to an Amazon instance (the public cloud version of P2V). In the case of an MTA, it’s not difficult today, and certainly doesn’t require synchronization of management tools and hypervisors between the public and private cloud. If we start to consider more complicated cases, like databases, it does get messy if the journey from private to public isn’t seamless, so perhaps VMware is on to something.

The drive toward seamless private/public cloud hybrid assumes organizations are demanding, and will embrace, a full-featured hybrid cloud. Smaller businesses and start-ups are more likely to use cloud wholesale, since their primary concern is speed and agility. The point for them is to not have a private datacenter at all; no databases, no email servers, not even a single dusty server hiding in the backroom next to the extra Ping-Pong balls.

For large enterprises, it would be interesting to understand how they are using, or starting to use, public cloud today. My sense is that it's project-driven. A new application, or new version of an application, is either public or private. It doesn’t make sense to build, test, and maintain two versions. In the case of either the public-cloud-centric SMB datacenter, or the mixed enterprise datacenter, there may very well not be much demand for dynamic flow between public and private.

To consider embracing fully-functional hybrid cloud, enterprises will want to bake the cake and eat it too; homogenous functionality to facilitate portability between multiple public clouds and private clouds. The keen observer will note that it's contradictory to what public cloud providers, and indeed, VMware want. Seamless portability makes it a little too easy for an enterprise to pack-up their toys and move to another sandbox. To boil it down to the most basic truth, enterprises don’t want vendor lock-in, no matter where in the computing or management stack that vendor operates.

Hybrid CloudsIf we go directly to the source, VMware states they want to allow customers to, “reap the benefits of the public cloud without changing their existing applications while using a common management, orchestration, networking and security model.” Also note in the same press release, VMware NSX will, “represent full potential of network virtualization by working across VMware and non-VMware hypervisors and cloud management systems”.

Does VMware, then, also want to bake the cake and eat it too? It does appear seamless functionality delivered across different hypervisors and datacenters is a theme. Obviously, and ultimately, the goal for VMware is to have enterprises rely on VMware across public and private clouds. Further, VMware appears to be relying on providers to do the actual building of these clouds, thereby looking forward to being rewarded for gluing together public and private clouds without actually risking capital on building either. This sounds like an enabler that is moving up the management stack, not an enabler looking to dive into the trenches of the hosting game. Before we read too many tea leaves, we must remember the detail about who is hosting these public clouds has not yet been explicitly stated, but it is clear VMware will have to be careful about becoming a competitor to their own public cloud partners.

It is fair to conclude VMware and Amazon continue to circle one another in the same arena without directly engaging. Amazon has expressed no interest in converting their public cloud management tools into privately consumable offerings; that is the domain of VMware. VMware is expressing their intention to expand management tools to run public clouds in concert with private clouds. However, rather than announcing- they are building a VMware-owned public offering, it appears they will proxy this initiative through current VMware-based public cloud providers, thereby avoiding engaging Amazon directly. VMware intends to license gloves for others to box with, which is wise when the battle is about hosting acumen, and the opponent is Amazon; and you’re a software vendor that is patient enough to let others with quicker hands step-into the ring.

How this will all play-out over the next while may actually not be up to either Amazon or VMware. Other providers have entered the market, found niches, provide specific value to drive, or gift-wrap open-source offerings, generally not caring about what commodities a customer chooses to run underneath. Examples include Firehost who have squared a cloud circle by providing secure public cloud, where the security is largely based on compliance regimes such as PCI. Another example is HP’s cloud offering – notice the bit about being, “Built on an open architecture” in the ‘bursting’ description.

For now, Amazon is clearly winning public cloud, and VMware owns the private cloud market. However the status-quo will shift, all I can assure you is it will be in ways that we do not anticipate.

view counter
Shaun Donaldson is Director of Alliances at Bitdefender Enterprise. Shaun is responsible for supporting relationships with technology alliance partners and large enterprise customers. Before joining Bitdefender, Mr. Donaldson was involved in various technology alliances, enterprise sales and marketing positions within the IT security industry, including Trend Micro, Entrust, Bell Security Solutions and Third Brigade.