Archive for February, 2009

Ron Popeil and Cloud Computing In Poetic Review…

February 27th, 2009 No comments


The uptake of computing
using the cloud,
would make the king of all marketeers
— Ron Popeil — proud

He's the guy who came out
with the canned spray on hair,
the oven you set and forget
without care

He had the bass fishing rod
you could fit in your pocket,
the Veg-O-Matic appliance
with which you could chop it

Mr. Microphone, it seems, 
was ahead of its time
Karaoke meets Facebook
Oh, how divine!

The smokeless ashtray,
the Cap Snaffler, drain buster
selling you all of the crap
Infomercials could muster

His inventions solved problems
some common, some new
If you ordered them quickly
he might send you two!

Back to the Cloud
and how it's related
to the many wonders
that Sir Ron has created

The cloud fulfills promises
that IT has made:
agility, better service
at a lower pay grade

You can scale up, scale down
pay for just what you use
Elastic infrastructure
what you get's what you choose

We've got public and private,

outside and in,

on-premise, off-premise

thick platforms or thin

The offerings are flooding
the wires en masse
Everything, it now seems,
is some sort of *aaS

You've got infrastructure,
platforms, software and storage.
Integration, SOA 
with full vendor whoreage

Some folks equate
virtualization with cloud
The platform providers
shout this vision out loud

'Course the OS contingent
has something to say
that cloud and virt
is part of their play

However you see it,
and whatever its form
the Cloud's getting bigger
it's starting to storm

Raining down on us all
is computational glory
but I wonder, dear friends,
'bout the end of this story

Will the Cloud truly bring value?
Solve problems that matter?
Or is it about 
vendors' wallets a-fatter?

*I* think the Cloud
has wonderful promise
If the low-hanging IT fruit
can be lifted 'way from us

The Cloud is a function
that's forging new thought
Pushing the boundaries
and theories we've bought

It's profoundly game changing

and as long as we focus

and don't buy into the 

hyped hocus pocus

So before we end up
with a Cloud that "slices and dices"
that never gets dull,
mashes, grates, grinds and rices

It's important to state

what problem we're solving

so the Cloud doesn't end up

with its value de-evolving


BTW, if you want to see more of my Cloud and Security poems, just check here.

I’m Sorry, But Did Someone Redefine “Open” and “Interoperable” and Not Tell Me?

February 26th, 2009 3 comments

I've got a problem with the escalation of VMware's marketing abuse of the terms "open," "interoperable," and "standards."  I'm a fan of VMware, but this is getting silly.

When a vendor like VMware crafts an architecture, creates a technology platform, defines an API, gets providers to subscribe to offering it as a service and does so with the full knowledge that it REQUIRES their platform to really function, and THEN calls it "open" and "interoperable," because an API exists, it is intellectually dishonest and about as transparent as saran wrap to call that a "standard" to imply it is available regardless of platform.

We are talking about philosophically and diametrically-opposed strategies between virtualization platform players here, not minor deltas along the bumpy roadmap highway.  What's at stake is fundamentally the success or failure of these companies.  Trying to convince the world that VMware, Microsoft, Citrix, etc. are going to huddle for a group hug is, well, insulting.

This recent article in the Register espousing VMware's strategy really highlighted some of these issues as it progressed. Here's the first bit which I agree with:

There is, they fervently say, no other enterprise server and data centre virtualisation play in town. Businesses wanting to virtualise their servers inside a virtualising data centre infrastructure have to dance according to VMware's tune. Microsoft's Hyper-V music isn't ready, they say, and open source virtualisation is lagging and doesn't have enterprise credibility.

Short of the hyperbole, I'd agree with most of that.  We can easily start a religious debate here, but let's not for now.  It gets smelly where the article starts talking about vCloud which, given VMware's protectionist stance based on fair harbor tactics, amounts to nothing more (still) than a vision.  None of the providers will talk about it because they are under NDA.  We don't really know what vCloud means yet: 

Singing the vcloud API standard song is very astute. It reassures all people already on board and climbing on board the VMware bandwagon that VMware is open and not looking to lock them in. Even if Microsoft doesn't join in this standardisation effort with a whole heart, it doesn't matter so long as VMware gets enough critical mass.

How do you describe having to use VMware's platform and API as VMware "…not looking to lock them in?" Of course they are!  

To fully leverage the power of the InterCloud in this model, it really amounts to either an ALL VMware solution or settling for basic connectors for coarse-grained networked capability.

Unless you have feature-parity or true standardization at the hypervisor and management layers, it's really about interconnectivity not interoperability.  Let's be honest about this.

By having external cloud suppliers and internal cloud users believe that cloud federation through VMware's vCloud infrastructure is realistic then the two types of cloud user will bolster and reassure each other. They want it to happen and, if it does, then Hyper-V is locked out unless it plays by the VMware-driven and VMware partner-supported cloud standardisation rules, in which case MIcrosoft's cloud customers are open to competitive attack. It's unlikely to happen.

"Federation" in this context really only applies to lessening/evaporating the difference between public and private clouds, not clouds running on different platforms.  That's, um, "lock-in."

Standards are great, especially when they're yours. Now we're starting to play games.  VMware should basically just kick their competitors in the nuts and say this to us all:

"If you standardize on VMware, you get to leverage the knowledge, skills, and investment you've already made — regardless of whether you're talking public vs. private.  We will make our platforms, API's and capabilities as available as possible.  If the other vendors want to play, great.  If not, your choice as a customer will determine if that was a good decision for them or not."

Instead of dancing around trying to muscle Microsoft into playing nice (which they won't) or insulting our intelligence by handwaving that you're really interested in free love versus world domination, why don't you just call a spade a virtualized spade.

And by the way, if it weren't for Microsoft, we wouldn't have this virtualization landscape to begin with…not because of the technology contributions to virtualization, but rather because the inefficiencies of single app/OS/hardware affinity using Microsoft OS's DROVE the entire virtualization market in the first place!

Microsoft is no joke.  They will maneuver to outpace VMware. HyperV and Azure will be a significant threat to VMware in the long term, and this old Microsoft joke will come back to haunt to VMware's abuse of the words above:

Q: How many Microsoft engineers does it take to change a lightbulb?  
A: None, they just declare darkness a standard.

is it getting dimmer in here?


Amazon’s Kindle: Some Interesting Security Thoughts

February 26th, 2009 13 comments

My Kindle2 showed up yesterday. I un-boxed it, turned it on and within 3 minutes had downloaded my first book and was reading away (Thomas Barnett's "Great Powers," if you must know.)

So this morning after I checked my email on my other indispensable tool/toy, my iPhone, I realized something was missing from the Kindle: a password.

So you might think "Hoff, why would you need a password for a device that lets you read books?'

Well, while it's true that the majority of users will simply read "off-the-shelf" books/blogs/magazines they download from's storefront on their Kindles, there are a couple of other interesting scenarios that ran through my mind:
  1. To purchase a book using the Kindle, the device is linked to Amazon's One-Click purchase capability.  This means that once I choose to purchase a book, I simply click "Buy" and it's delivered to the device, automagically charging my credit card.  If I lost my device, someone who found it could literally download hundreds of books to the Kindle on my nickel until I am able to do something about it.  This would be short-lived, but really annoying.
  2. It is possible using an Amazon web service to convert documents into the Kindle Format and download them over WhisperNet to your device.  Given how convenient this is for reading, imagine what would happen if some crafty person decided to convert and download a sensitive document to the Kindle and then lose the device.  Imagine if that document contained PII or other confidential/sensitive information?  I wager we'll see a breach notification being issued based on someone losing a Kindle.
Yes, I know it's a piece of "consumer" equipment, but look a little further down the line: college students using it for textbooks and all sorts of other communications, business people using it for reading corporate materials, etc…

I am interested in exploring the following elements in the long term:
  1. An option for password-protected access to the device itself.
  2. A content-rating based password-controlled parental rating system for certain materials. My kids already grabbed my Kindle and (see #1 above) downloaded 3 kids books to it.  I may not want them to read certain content.
  3. Remote self-destruct 
  4. Encryption of content (at rest, in motion)
  5. Security of Whispernet itself
  6. WiFi (and it's attendant issues)
I'm sure as I dwell on this, there will be other issues that crop up, but the security wonk in me was in full gear this morning.

You have any other security shortcomings or concerns you've thought of re: the Kindle? 

Categories: Uncategorized Tags:

Interesting Read: The World Privacy Forum’s Cloud Privacy Report

February 25th, 2009 No comments

The World Privacy Forum released their "Cloud Privacy Report" written by Robert Gellman two days ago. It's an interesting read that describes the many facets of data privacy concerns in Cloud environments: 

This report discusses the issue of cloud computing and outlines its implications for the privacy of 
personal information as well as its implications for the confidentiality of business and 
governmental information. The report finds that for some information and for some business 
users, sharing may be illegal, may be limited in some ways, or may affect the status or 
protections of the information shared. The report discusses how even when no laws or 
obligations block the ability of a user to disclose information to a cloud provider, disclosure may 
still not be free of consequences. The report finds that information stored by a business or an 
individual with a third party may have fewer or weaker privacy or other protections than 
information in the possession of the creator of the information. The report, in its analysis and 
discussion of relevant laws, finds that both government agencies and private litigants may be 
able to obtain information from a third party more easily than from the creator of the 
information. A cloud provider’s terms of service, privacy policy, and location may significantly 
affect a user’s privacy and confidentiality interests.

I plan to spend some time reading through the report in more depth, but I enjoyed my cursory review thus far, especially some of the coverage related to issues such as FCRA, bankruptcy, Cloud provider ownership, disclosure, etc.  Many of these issues are near and dear to my heart.

You can download the report here.

Categories: Cloud Computing, Cloud Security, Privacy Tags:

Internal v. External/Private v. Public/On-Premise v. Off- Premise: It’s all Cloud But How You Get There Is Important.

February 24th, 2009 No comments

I've written about the really confusing notional definitions that seem to be hung up on where the computing actually happens when you say "Cloud:" in your datacenter or someone else's.  It's frustrating to see how people mush together "public, private, internal, external, on-premise, off-premise" to all mean the same thing.

They don't, or at least they shouldn't, at least not within the true context of Cloud Computing.

In the long run, despite all the attempts to clarify what we mean by defining "Cloud Computing" more specifically as it relates to compute location, we're going to continue to call it "Cloud."  It's a sad admission I'm trying to come to grips with.  So I'll jump on this bandwagon and take another approach.

Cloud Computing will simply become ubiquitous in it's many forms and we are all going to end up with a hybrid model of Cloud adoption — a veritable mash-up of Cloud services spanning the entire gamut of offerings.  We already have today.

Here are a few, none-exhaustive examples of what a reasonably-sized enterprise can expect from the move to a hybrid Cloud environment:
  1. If you're using one or more SaaS vendors who own the entire stack, you'll be using their publicly-exposed Cloud offerings.  They manage the whole kit-and-kaboodle, information and all. 
  2. SaaS and PaaS vendors will provide ways of integrating their offerings (some do today) with your "private" enterprise data stores and directory services for better integration and business intelligence.
  3. We'll see the simple evolution of hosting/colocation providers add dynamic scalability and utility billing and really push the Cloud mantra.  
  4. IaaS vendors will provide (ala GoGrid) ways of consolidating and reducing infrastructure footprints in your enterprise datacenters by way of securely interconnecting your private enterprise infrastructure with managed infrastructure in their datacenters. This model simply calls for the offloading of the heavy tin. Management options abound: you manage it, they manage it, you both do…
  5. Other IaaS players will continue to offer a compelling suite of soup-to-nuts services (ala Amazon) that depending upon your needs and requirements, means you have very little (or no) infrastructure to speak of.  You may or may not be constrained by what you can or need to do as you trade of flexibility for conformity here.
  6. Virtualization platform providers will no longer make a distinction in terms of roadmap and product positioning between internal/external or public/private. What is enterprise virtualization today simply becomes "Cloud."  The same services, split along virtualization platform party lines, will become available regardless of location. 
  7. This means that vendors who today offer proprietary images and infrastructure will start to drive or be driven to integrate more open standards across their offerings in order to allow for portability, interoperability and inter-Cloud scalability…and to make sure you remain a customer.
  8. Even though the Cloud is supposed to abstract infrastructure from your concern as a customer, brand-associated moving parts will count; customers will look for pure-play vetted integration between the big players (networking, virtualization, storage) in order to fluidly move information and applications into and out of Cloud offerings seamlessly 
  9. The notion of storage is going to be turned on its head; the commodity of bit buckets isn't what storage means in the Cloud.  All the chewy goodness will start to bubble to the surface as value-adds come to light: DeDup, backup, metadata, search, convergence with networking, security…
  10. More client side computing will move to the cloud (remember, it doesn't matter whether it's internal or external) with thin client connectivity while powerful smaller-footprint mobile platforms (smartphones/netbooks) with native virtualization layers will also accelerate in uptake

Ultimately, what powers your Cloud providers WILL matter.  What companies adopt internally as their virtualization, networking, application delivery, security and storage platforms internally as they move to consolidate and then automate will be a likely choice when evaluating top-rung weighting when they identify what powers many of their Cloud providers' infrastructure.

If a customer can take all the technology expertise, the organizational and operational practices they have honed as they virtualize their internal infrastructure (virtualization platform, compute, storage, networking, security) and basically be able to seamlessly apply that as a next step as the move to the Cloud(s), it's a win.

The two biggest elements of a successful cloud: integration and management. Just like always.

I can't wait.


*Yes, we're concerned that if "stuff" is outside of our direct control, we'll not be able to "secure" it, but that isn't exactly a new concept, nor is it specific to Cloud — it's just the latest horse we're beating because we haven't made much gains in being able to secure the things that matter most in the ways most effective for doing that.

Virtualization & Security: Disruptive Technologies – A Four Part Video Miniseries…

February 24th, 2009 No comments
About nine months ago, Dino Dai Zovi, Rich Mogull and I sat down for about an hour as Dennis Fisher from TechTarget interviewed us in a panel style regarding the topic of virtualization and security.  It has just been released now.

Considering it was almost a lifetime ago in Internet time, almost all of the content is still fresh and the prognostication is pretty well dead on.


Part 1: The Greatest Threats to Virtualized Environments

Part 2: The Security Benefits of Virtualization

Part 3: The Organizational Challenges of Virtualization

Part 4: Virtualization and Security Vendors


P.S. The camera adds like 40 pounds, really 😉
Categories: Virtualization Tags:

Hire the Hoff – I’m On the Market, Whatcha Need? ;)

February 23rd, 2009 5 comments

The last two years have been a blast but all things must come to an end.

At the conclusion of March, I am moving on to newer pastures.  Where that is may be up to you.

I am exploring all options with a focus on traditional security roles including CISO/CSO, but I'd prefer architect/evangelist/CTO roles that focus more on virtualization and Cloud Computing security.

If you've got an opportunity that you think we'd both be a match for, feel free to reach out.  

A dose of reality: If you're not serious about envelope pushing, thought/industry leadership, world domination and unabashed enthusiasm sprinkled with rational pragmatism, I'm not your guy…

My LinkedIn profile is here.  My email is here


Categories: Career Tags:

Trust But Verify? That’s An Oxymoron…

February 23rd, 2009 4 comments

In response to my post regarding Cloud (SaaS, really) providers' security, Allen Baranov asked me the following excellent question in the comments:


What would make you trust "the Cloud"? Scrap that… stupid question…

What would make you trust SaaS providers?

To which I responded:

Generally, my CEO or CFO. 🙁  

I don't "trust" third party vendors with my data. I never will. I simply exercise the maximal amount of due diligence that I am afforded given prevailing time, money, resources and transparency and assess risk from there.

Even if the data is not critical/sensitive, I don't "trust" that it's not going to be mishandled. Not in today's world.  (Ed: How I deal with that mishandling is the secret sauce…)

I then got thinking about the line that Ronald Reagan is often credited with wherein he described managing relations with the former Soviet Union:

Trust but verify.

Security professionals use that phrase a lot. They shouldn't. It's oxymoronic.

The very definition of "trust" is:

trust |trəst|
firm belief in the reliability, truth, ability, or strength of someone or something relations have to be built on trust they have been able to win the trust of the others.
• acceptance of the truth of a statement without evidence or investigation I used only primary sources, taking nothing on trust.
• the state of being responsible for someone or something a man in a position of trust.
• poetic/literary a person or duty for which one has responsibility rulership is a trust from God.
• poetic/literary a hope or expectation all the great trusts of womanhood.

See the second bullet above "….without evidence or investigation"?  I don't "trust" people over whic
h I have no effective control. With third parties handling your data, you have no effective "control." You have the capability to audit, assess and recover, but control?  Nope.

Does that mean I think you should not put your information into the hands of a third party?  Of course not.  It's inevitable.  You already have. However, admitting defeat and working from there may make Jack a dull boy, but he's also not unprepared for when the bad stuff happens.  And it will.

I stand by my answer to Allen.



What People REALLY Mean When They Say “THE Cloud” Is More Secure…

February 20th, 2009 6 comments

Over the last two days, I've seen a plethora (yes, Jefe, a plethora) of trade rag and blog articles espousing that The Cloud is more secure than an enterprise's datacenter and that Cloud security concerns are overblown.  I'd pick these things apart, but honestly, I've got work to do.


Here's the problem with these generalizations, even when some of the issues these people describe are actually reasonably good points:

Almost all of these references to "better security through Cloudistry" are drawn against examples of Software as a Service (SaaS) offerings.  SaaS is not THE Cloud to the exclusion of everything else.  Keep defining SaaS as THE Cloud and you're being intellectually dishonest (and ignorant.)

But since people continue to attest to SaaS==Cloud, let me point out something relevant.

There are two classes of SaaS vendors: those that own the entire stack including the platform and underlying infrastructure and those those that don't.  

Those that have control/ownership over the entire stack naturally have the opportunity for much tighter control over the "security" of their offerings.  Why?  because they run their business and the datacenters and applications housed in them with the same level of diligence that an enterprise would.

They have context.  They have visibility.  They have control.  They have ownership of the entire stack.  

The HUGE difference is that in many cases, they only have to deal with supporting a limited number of applications.  This reflects positively on those who say "Cloud SaaS providers are "more secure," mostly because they have less to secure.

Meanwhile those SaaS providers that simply run their appstack atop someone else's platform and infrastructure are, in turn, at the mercy of their providers.  The information and applications are abstracted from the underlying platforms and infrastructure to the point that there is no unified telemetry or context between the two.  Further, add in the multi-tenancy issue and we're now talking about trust boundaries that get very fuzzy and hard to define: who is responsible for securing what.

Just. Like. An. Enterprise. 🙁

Check out the Cloud model below which shows the demarcation between the various layers of the SPI model of which SaaS is but ONE:

The further up the offering stack you go, the more control you have over your information and the security thereof. Oh, and just one other thing.  The notion that Cloud offerings diminish attack surfaces is in many cases a good thing for sophisticated attackers as much as it may act as a deterrent.  Why?  Because now they have a more clearly defined set of attack surfaces — usually at the application layer — that makes their job easier.

Next time one of these word monkeys makes a case for how much more secure The Cloud is and references a SaaS vendor like (a single application) in comparison to an enterprise running (and securing) hundreds of applications, remind them about this and this, both Cloud providers. I wrote about this last year in an article humorously titled "Cloud Providers Are Better At Securing Your Data Than You Are."

Like I said on Twitter this morning "I *love* the Cloud. I just don't trust it.  Sort of like why I don't give my wife the keys to my motorcycles."

We done now?


Categories: Cloud Computing, Cloud Security Tags:

Coghead Closes and It’s the Death Knell For Cloud Computing!? Holy Hyperbole, Batman!

February 19th, 2009 7 comments

This InformationWeek article took artistic license to lofty new levels in a single sentence as it described the demise of Cloud Computing PaaS vendor Coghead and the subsequent IP/Engineering purchase by SAP:

Bad news for cloud computing: Coghead — a venture-backed, online application development platform – is closing, leaving customers with a problem to solve.

It's indeed potentially bad news for Coghead's customers who as early adopters took a risk by choosing to invest in a platform startup in an emerging technology sector.  It's hardly indicative of an established trend that somehow predicts "bad news for Cloud Computing" as a whole.

It's a friendly reminder that "whens you rolls da dice, you takes your chances." Prudent and pragmatic risk assessment and relevant business decisions still have to be made when you decide to place your bets on a startup.  Just because you move to the Cloud doesn't mean you stop employing pragmatic common sense. I hope these customers have a Plan B.

This is the problem again with lumping all of the *aaS'es into a bucket called Cloud; are we to assume Amazon's AWS (IaaS) and (SaaS) are going to shutter next week?  No, of course not. Will there be others who close their doors and firesale?  Most assuredly yes, just like there are in most tech markets.

Here's what Coghead's CEO (in the same article, mind you) explained as the reason for the closure:

Though McNamara said business was continuing to grow rapidly, the recession ultimately did Coghead in, and Coghead began looking for buyers a few months ago. "Faced with the most difficult economy in memory and a challenging fundraising climate, we determined that the SAP deal was the best way forward for the company," McNamara wrote in a letter to customers that went out late Thursday

That's correct kids, even the almighty Cloud, the second coming of computing, is not immune to the pressures of running a business in a tough economy, especially the platform business…

First it was hype around the birth of Cloud and now it's raining epitaphs.  I call dibs on Amazon's SAN arrays!

Categories: Cloud Computing Tags: